misp-galaxy/clusters/botnet.json

1409 lines
59 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"authors": [
"Various"
],
"category": "tool",
"description": "botnet galaxy",
"name": "Botnet",
"source": "MISP Project",
"type": "botnet",
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
"values": [
{
"description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/"
]
},
"uuid": "6d7fc046-61c8-4f4e-add9-eebe5b5f4f69",
"value": "ADB.miner"
},
{
"description": "Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.",
"meta": {
"date": "2004",
"refs": [
"https://en.wikipedia.org/wiki/Bagle_(computer_worm)"
],
"synonyms": [
"Beagle",
"Mitglieder",
"Lodeight"
]
},
"related": [
{
"dest-uuid": "f09af1cc-cf9d-499a-9026-e783a3897508",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c",
"value": "Bagle"
},
{
"description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Botnet"
],
"synonyms": [
"Damon Briant",
"BOB.dc",
"Cotmonger",
"Hacktool.Spammer",
"Kraken"
]
},
"related": [
{
"dest-uuid": "e721809b-2785-4ce3-b95a-7fde2762f736",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a",
"value": "Marina Botnet"
},
{
"description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.",
"meta": {
"date": "2005",
"refs": [
"https://en.wikipedia.org/wiki/Torpig"
],
"synonyms": [
"Sinowal",
"Anserin"
]
},
"related": [
{
"dest-uuid": "ad5bcaef-1a86-4cc7-8f2e-32306b995018",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1",
"value": "Torpig"
},
{
"description": "The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of \"zombie\" computers (or \"botnet\") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as \"230 dead as storm batters Europe,\" giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.",
"meta": {
"date": "2007",
"refs": [
"https://en.wikipedia.org/wiki/Storm_botnet"
],
"synonyms": [
"Nuwar",
"Peacomm",
"Zhelatin",
"Dorf",
"Ecard"
]
},
"uuid": "74ebec0c-6db3-47b9-9879-0d125e413e76",
"value": "Storm"
},
{
"meta": {
"date": "2006",
"refs": [
"https://en.wikipedia.org/wiki/Rustock_botnet"
],
"synonyms": [
"RKRustok",
"Costrat"
]
},
"related": [
{
"dest-uuid": "76e98e04-0ab7-4000-80ee-7bcbcf9c110d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9bca63cc-f0c7-4704-9c5f-b5bf473a9b43",
"value": "Rustock"
},
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Donbot_botnet"
],
"synonyms": [
"Buzus",
"Bachsoy"
]
},
"related": [
{
"dest-uuid": "69a3e0ed-1727-4a9c-ae21-1e32322ede93",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a",
"value": "Donbot"
},
{
"description": "The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo",
"meta": {
"date": "2007",
"refs": [
"https://en.wikipedia.org/wiki/Cutwail_botnet"
],
"synonyms": [
"Pandex",
"Mutant"
]
},
"related": [
{
"dest-uuid": "9e8655fc-5bba-4efd-b3c0-db89ee2e0e0b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8",
"value": "Cutwail"
},
{
"description": "Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.",
"meta": {
"date": "2007",
"refs": [
"https://en.wikipedia.org/wiki/Akbot"
]
},
"related": [
{
"dest-uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
"value": "Akbot"
},
{
"description": "Srizbi BotNet, considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.",
"meta": {
"date": "March 2007",
"refs": [
"https://en.wikipedia.org/wiki/Srizbi_botnet"
],
"synonyms": [
"Cbeplay",
"Exchanger"
]
},
"uuid": "6df98396-b52a-4f84-bec2-0060bc46bdbf",
"value": "Srizbi"
},
{
"description": "The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Lethic_botnet"
]
},
"related": [
{
"dest-uuid": "342f5c56-861c-4a06-b5db-85c3c424f51f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a73e150f-1431-4f72-994a-4000405eff07",
"value": "Lethic"
},
{
"meta": {
"refs": [
"https://krebsonsecurity.com/tag/xarvester/"
],
"synonyms": [
"Rlsloup",
"Pixoliz"
]
},
"uuid": "e965dd3a-bfd9-4c88-b7a5-a8fc328ac859",
"value": "Xarvester"
},
{
"description": "Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Sality"
],
"synonyms": [
"Sector",
"Kuku",
"Sality",
"SalLoad",
"Kookoo",
"SaliCode",
"Kukacka"
]
},
"related": [
{
"dest-uuid": "cf752563-ad8a-4286-b2b3-9acf24a0a09a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96",
"value": "Sality"
},
{
"description": "The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the \"Butterfly (mariposa in Spanish) Bot\", making it one of the largest known botnets.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Mariposa_botnet"
]
},
"uuid": "f4878385-c6c7-4f6b-8637-08146841d2a2",
"value": "Mariposa"
},
{
"description": "Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.",
"meta": {
"date": "November 2008",
"refs": [
"https://en.wikipedia.org/wiki/Conficker"
],
"synonyms": [
"DownUp",
"DownAndUp",
"DownAdUp",
"Kido"
]
},
"related": [
{
"dest-uuid": "5f638985-49e1-4059-b2eb-f2ffa397b212",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069",
"value": "Conficker"
},
{
"description": "Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.",
"meta": {
"date": "November 2008",
"refs": [
"https://en.wikipedia.org/wiki/Waledac_botnet"
],
"synonyms": [
"Waled",
"Waledpak"
]
},
"uuid": "4e324956-3177-4c8f-b0b6-e3bc4c3ede2f",
"value": "Waledac"
},
{
"description": "A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.",
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/evaluating-botnet-capacity"
]
},
"uuid": "a461f744-ab52-4a78-85e4-aedca1303a4c",
"value": "Maazben"
},
{
"meta": {
"refs": [
"https://www.botnets.fr/wiki/OneWordSub"
]
},
"uuid": "4cc97d31-c9ab-4682-aae4-21dcbc02118f",
"value": "Onewordsub"
},
{
"description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).",
"meta": {
"refs": [
"https://www.cert.pl/en/news/single/tofsee-en/"
],
"synonyms": [
"Tofsee",
"Mondera"
]
},
"related": [
{
"dest-uuid": "53e617fc-d71e-437b-a1a1-68b815d1ff49",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6",
"value": "Gheg"
},
{
"meta": {
"refs": [
"https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en"
]
},
"uuid": "ec9917f4-006b-4a32-9a58-c03b5c85abe4",
"value": "Nucrypt"
},
{
"meta": {
"refs": [
"https://www.botnets.fr/wiki.old/index.php/Wopla"
]
},
"uuid": "b2ec8e6b-414d-4d76-b51c-8ba3eee2918d",
"value": "Wopla"
},
{
"description": "The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Asprox_botnet"
],
"synonyms": [
"Badsrc",
"Aseljo",
"Danmec",
"Hydraflux"
]
},
"related": [
{
"dest-uuid": "ba557993-f64e-4538-8f13-dafaa3c0db00",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b",
"value": "Asprox"
},
{
"description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machines processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.",
"meta": {
"refs": [
"http://www.root777.com/security/analysis-of-spam-thru-botnet/"
],
"synonyms": [
"Spam-DComServ",
"Covesmer",
"Xmiler"
]
},
"uuid": "3da8c2f9-dbbf-4825-9010-2261b2007d22",
"value": "Spamthru"
},
{
"description": "Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Gumblar"
]
},
"uuid": "5b83d0ac-3661-465e-b3ab-ca182d1eacad",
"value": "Gumblar"
},
{
"description": "The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.",
"meta": {
"date": "May 2009",
"refs": [
"https://en.wikipedia.org/wiki/Bredolab_botnet"
],
"synonyms": [
"Oficla"
]
},
"related": [
{
"dest-uuid": "b3ea33fd-eaa0-4bab-9bd0-12534c9aa987",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "65a30580-d542-4113-b00f-7fab98bd046c",
"value": "BredoLab"
},
{
"description": "The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.",
"meta": {
"date": "2009",
"refs": [
"https://en.wikipedia.org/wiki/Grum_botnet"
],
"synonyms": [
"Tedroo",
"Reddyb"
]
},
"uuid": "a2a601db-2ae7-4695-ac0c-0a3ea8822356",
"value": "Grum"
},
{
"description": "The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Mega-D_botnet"
],
"synonyms": [
"Ozdok"
]
},
"uuid": "c12537fc-1de5-4d12-ae36-649f32919059",
"value": "Mega-D"
},
{
"description": "The Kraken botnet was the world's largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Kraken_botnet"
],
"synonyms": [
"Kracken"
]
},
"related": [
{
"dest-uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e721809b-2785-4ce3-b95a-7fde2762f736",
"value": "Kraken"
},
{
"description": "The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.",
"meta": {
"date": "August 2009",
"refs": [
"https://en.wikipedia.org/wiki/Festi_botnet"
],
"synonyms": [
"Spamnost"
]
},
"uuid": "b76128e3-cea5-4df8-8d23-d9f3305e5a14",
"value": "Festi"
},
{
"description": "Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.",
"meta": {
"date": "March 2010",
"refs": [
"https://en.wikipedia.org/wiki/Vulcanbot"
]
},
"uuid": "dfd17a50-65df-4ddc-899e-1052e5001a1f",
"value": "Vulcanbot"
},
{
"meta": {
"date": "January 2010",
"synonyms": [
"LowSecurity",
"FreeMoney",
"Ring0.Tools"
]
},
"uuid": "533e3474-d08d-4d02-8adc-3765750dd3a3",
"value": "LowSec"
},
{
"description": "Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).",
"meta": {
"date": "2010",
"refs": [
"https://en.wikipedia.org/wiki/Alureon#TDL-4"
],
"synonyms": [
"TDSS",
"Alureon"
]
},
"related": [
{
"dest-uuid": "ad4e6779-59a6-4ad6-98de-6bd871ddb271",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1",
"value": "TDL4"
},
{
"description": "Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Zeus_(malware)"
],
"synonyms": [
"Zbot",
"ZeuS",
"PRG",
"Wsnpoem",
"Gorhax",
"Kneber"
]
},
"related": [
{
"dest-uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4e8c1ab7-2841-4823-a5d1-39284fb0969a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
"value": "Zeus"
},
{
"description": "The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.",
"meta": {
"date": "2010",
"refs": [
"https://en.wikipedia.org/wiki/Kelihos_botnet"
],
"synonyms": [
"Hlux"
]
},
"related": [
{
"dest-uuid": "7d69892e-d582-4545-8798-4a9a84a821ea",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6",
"value": "Kelihos"
},
{
"description": "Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.",
"meta": {
"date": "2011",
"refs": [
"https://en.wikipedia.org/wiki/Botnet"
]
},
"related": [
{
"dest-uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "542161c0-47a4-4297-baca-5ed98386d228",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8ed81090-f098-4878-b87e-2d801b170759",
"value": "Ramnit"
},
{
"meta": {
"date": "2013",
"synonyms": [
"Fib3rl0g1c",
"Zer0n3t",
"Zer0Log1x"
]
},
"uuid": "417c36fb-fff7-40df-8387-07169113b9b4",
"value": "Zer0n3t"
},
{
"description": "The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).",
"meta": {
"date": "2012",
"refs": [
"https://en.wikipedia.org/wiki/Chameleon_botnet"
]
},
"uuid": "3084cd06-e415-4ff0-abd0-cf8fbf67c53c",
"value": "Chameleon"
},
{
"description": "Mirai (Japanese for \"the future\", 未来) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.",
"meta": {
"date": "August 2016",
"refs": [
"https://en.wikipedia.org/wiki/Mirai_(malware)",
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/",
"https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/",
"https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/"
]
},
"related": [
{
"dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"value": "Mirai"
},
{
"description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Xor_DDoS"
]
},
"uuid": "5485d149-79b5-451e-b48c-a020eced3515",
"value": "XorDDoS"
},
{
"description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/",
"https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant"
],
"synonyms": [
"Okiru"
]
},
"related": [
{
"dest-uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "9e5d83a8-1181-43fe-a77f-28c8c75ffbd0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e77cf495-632a-4459-aad1-cdf29d73683f",
"value": "Satori"
},
{
"meta": {
"date": "April 2017"
},
"related": [
{
"dest-uuid": "837c5618-69dc-4817-8672-b3d7ae644f5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa",
"value": "BetaBot"
},
{
"description": "Hajime (meaning beginning in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.\nIt is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/",
"https://en.wikipedia.org/wiki/Hajime_(malware)",
"https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/"
]
},
"related": [
{
"dest-uuid": "ff8ee85f-4175-4f5a-99e5-0cbc378f1489",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67",
"value": "Hajime"
},
{
"description": "The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.\nAt the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.\nCrooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.\nThe Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/"
]
},
"uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f",
"value": "Muhstik"
},
{
"description": "Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.\nThis is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.\nThe reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains.\nBut today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.\nBy placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/",
"https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/",
"https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/"
],
"synonyms": [
"HNS",
"Hide 'N Seek"
]
},
"related": [
{
"dest-uuid": "41bf8f3e-bb6a-445d-bb74-d08aae61a94b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f",
"value": "Hide and Seek"
},
{
"description": "Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.",
"meta": {
"refs": [
"https://thehackernews.com/2018/05/botnet-malware-hacking.html"
]
},
"uuid": "77a308b6-575d-11e8-89a9-3f6a2a9c08bb",
"value": "Mettle"
},
{
"description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED",
"meta": {
"date": "2018",
"refs": [
"https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html"
]
},
"related": [
{
"dest-uuid": "ec67f206-6464-48cf-a012-3cdfc1278488",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"value": "Owari"
},
{
"description": "Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.",
"meta": {
"date": "2018",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn"
]
},
"uuid": "f293c553-8b03-40b3-a125-f9ae66a72d99",
"value": "Brain Food"
},
{
"description": "The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding",
"meta": {
"date": "2011",
"refs": [
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Pontoeb.J",
"http://dataprotectioncenter.com/general/are-you-beta-testing-malware/"
],
"synonyms": [
"N0ise"
]
},
"uuid": "bc60de19-27a5-4df8-a835-70781b923125",
"value": "Pontoeb"
},
{
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/"
],
"synonyms": [
"Trik Trojan"
]
},
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501",
"value": "Trik Spam Botnet"
},
{
"meta": {
"refs": [
"https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml"
],
"synonyms": [
"Mad Max"
]
},
"related": [
{
"dest-uuid": "d3d56dd0-3409-470a-958b-a865fdd158f9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66",
"value": "Madmax"
},
{
"meta": {
"refs": [
"https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
]
},
"related": [
{
"dest-uuid": "b39ffc73-db5f-4a8a-acd2-bee958d69155",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0",
"value": "Pushdo"
},
{
"meta": {
"refs": [
"https://www.us-cert.gov/ncas/alerts/TA15-105A"
]
},
"related": [
{
"dest-uuid": "467ee29c-317f-481a-a77c-69961eb88c4d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c",
"value": "Simda"
},
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Virut"
]
},
"related": [
{
"dest-uuid": "2e99f27c-6791-4695-b88b-de4d4cbda8d6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1",
"value": "Virut"
},
{
"meta": {
"refs": [
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions"
]
},
"uuid": "49b13880-9baf-4ae0-9171-814094b03d89",
"value": "Beebone"
},
{
"meta": {
"refs": [
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital",
"https://www.symantec.com/security-center/writeup/2010-070108-5941-99"
],
"synonyms": [
"Mdrop-CSK",
"Agent-OCF"
]
},
"uuid": "07815089-e2c6-4084-9a62-3ece7210f33f",
"value": "Bamital"
},
{
"description": "Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWalls Global Management System (GMS).",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/",
"https://www.symantec.com/security-center/writeup/2014-100222-5658-99"
],
"synonyms": [
"Bashlite"
]
},
"related": [
{
"dest-uuid": "5fe338c6-723e-43ed-8165-43d95fa93689",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "81917a93-6a70-4334-afe2-56904c1fafe9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
"value": "Gafgyt"
},
{
"description": "Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora's original author soon moved on to developing the Mirai Owari version, shortly after Sora's creation.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/"
],
"synonyms": [
"Mirai Sora"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56",
"value": "Sora"
},
{
"description": " we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.",
"meta": {
"refs": [
"https://blog.avast.com/new-torii-botnet-threat-research",
"https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/"
]
},
"related": [
{
"dest-uuid": "a874575e-0ad7-464d-abb6-8f4b7964aa92",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "92f38212-94e2-4d70-9b5e-e977eb1e7b79",
"value": "Torii"
},
{
"description": "A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/"
]
},
"related": [
{
"dest-uuid": "2ee05352-3d4a-448b-825d-9d6c10792bf7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e3e91fe2-c7ce-11e8-8e85-6bc15cd2a63c",
"value": "Persirai"
},
{
"description": "Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots were calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.",
"meta": {
"refs": [
"https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/"
]
},
"uuid": "f387e30a-dc48-11e8-b9f4-370bc63008bf",
"value": "Chalubo"
},
{
"description": "Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/"
]
},
"uuid": "809d100b-d46d-40f4-b498-5371f46bb9d6",
"value": "AESDDoS"
},
{
"description": "A set of DDoS botnet.",
"meta": {
"synonyms": [
"Katura",
"MyraV",
"myra"
]
},
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
"value": "Arceus"
},
{
"description": "Mozi infects new devices through weak telnet passwords and exploitation.",
"meta": {
"refs": [
"https://blog.netlab.360.com/mozi-another-botnet-using-dht/",
"https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/",
"https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/"
]
},
"uuid": "ea2906a5-d493-4afa-b770-436c0c246c78",
"value": "Mozi"
},
{
"description": "UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.",
"meta": {
"refs": [
"https://research.checkpoint.com/2018/deep-dive-upas-kit-vs-kronos/",
"https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html",
"https://web.archive.org/web/20130120062602/http://onthar.in/articles/upas-kit-analysis/",
"https://regmedia.co.uk/2019/04/19/plea.pdf"
],
"synonyms": [
"Rombrast"
]
},
"uuid": "099223a1-4a6e-4024-8e48-dbe199ec7244",
"value": "UPAS-Kit"
},
{
"description": "Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex"
],
"synonyms": [
"Trik"
]
},
"uuid": "26339b2e-7d82-4844-a9f0-81b0dd85e37c",
"value": "Phorpiex"
},
{
"description": "First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).",
"meta": {
"refs": [
"https://twitter.com/JiaYu_521/status/1204248344043778048",
"https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/",
"https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/",
"https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/",
"https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/",
"https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg"
]
},
"related": [
{
"dest-uuid": "5c42585b-ea92-4fe2-8a79-bb47a3df67ad",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "25a745c8-0d2a-40e1-9bb2-3704d1bd49e3",
"value": "DDG"
},
{
"description": "A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).",
"meta": {
"refs": [
"https://blog.google/threat-analysis-group/disrupting-glupteba-operation/"
]
},
"uuid": "37c5d3ad-9057-4fcb-9fb3-4f7e5377a304",
"value": "Glupteba"
},
{
"description": "DDoS Botnet",
"meta": {
"refs": [
"https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched",
"https://www.virusbulletin.com/uploads/pdf/conference_slides/2016/Liu_Wang-vb-2016-TheElknotDDoSBotnetsWeWatched.pdf"
],
"synonyms": [
"Linux/BillGates",
"BillGates"
]
},
"uuid": "98392af9-d4a4-4e63-aded-f802a0fa6ef7",
"value": "Elknot"
},
{
"description": "Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-054a"
]
},
"uuid": "b184c123-6d3e-4152-8c2e-72e3e61d2f5a",
"value": "Cyclops Blink"
},
{
"description": "Botnet",
"meta": {
"refs": [
"https://blog.netlab.360.com/abcbot_an_evolving_botnet_en"
]
},
"uuid": "bcc60155-e824-4adb-a906-eec43c2d1ae8",
"value": "Abcbot"
},
{
"description": "Botnet",
"meta": {
"refs": [
"https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days"
]
},
"uuid": "3e40c1af-51f5-4b02-b189-74567125c6e0",
"value": "Ripprbot"
},
{
"description": "In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.\n\nThis botnet is mainly derived from Gafgyts source code but has been observed to borrow several modules from Mirais original source code.\n\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.\n\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.",
"meta": {
"refs": [
"https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot",
"https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
"https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers"
]
},
"related": [
{
"dest-uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908",
"value": "EnemyBot"
},
{
"description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.",
"meta": {
"refs": [
"https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf",
"https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
"https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/"
],
"synonyms": [
"QakBot",
"Pinkslipbot"
]
},
"related": [
{
"dest-uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "dropped"
},
{
"dest-uuid": "9db5f425-fe49-4137-8598-840e7290ed0f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"value": "Qbot"
},
{
"description": "This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.",
"meta": {
"refs": [
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "505c6a54-a701-4a4b-85d4-0f2038b7b46a",
"value": "Dark.IoT"
},
{
"description": "Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.",
"meta": {
"refs": [
"https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware"
]
},
"uuid": "b6919400-9b16-48ae-8379-fab26a506e32",
"value": "KmsdBot"
}
],
"version": 30
}