misp-galaxy/clusters/rat.json

449 lines
19 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"name": "RAT",
"type": "rat",
"source": "MISP Project",
"authors": [
"Various",
],
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"uuid": "312f8714-45cb-11e7-b898-135207cdceb9",
"version": 1,
"values": [
{
"meta": {
"refs": [
"https://www.teamviewer.com"
]
},
"description": "TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.",
"value": "TeamViewer"
},
{
"meta": {
"synonyms": [
"BO"
],
"refs": [
"http://www.cultdeadcow.com/tools/bo.html",
"http://www.symantec.com/avcenter/warn/backorifice.html"
]
},
"description": "Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.",
"value": "Back Orifice"
},
{
"meta": {
"synonyms": [
"NetBus"
],
"refs": [
"http://www.symantec.com/avcenter/warn/backorifice.html",
"https://www.f-secure.com/v-descs/netbus.shtml"
]
},
"description": "NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.",
"value": "Netbus"
},
{
"meta": {
"synonyms": [
"Poison Ivy",
"Backdoor.Win32.PoisonIvy",
"Gen:Trojan.Heur.PT"
],
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml"
]
},
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
"value": "PoisonIvy"
},
{
"meta": {
"synonyms": [
"SubSeven",
"Sub7Server"
],
"refs": [
"https://www.symantec.com/security_response/writeup.jsp?docid=2001-020114-5445-99"
]
},
"description": "Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards (\"suBteN\") and swapping \"ten\" with \"seven\". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.",
"value": "Sub7"
},
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Beast_(Trojan_horse)"
]
},
"description": "Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a \"RAT\". It is capable of infecting versions of Windows from 95 to 10.",
"value": "Beast Trojan"
},
{
"meta": {
"refs": [
"https://www.revolvy.com/main/index.php?s=Bifrost%20(trojan%20horse)&item_type=topic",
"http://malware-info.blogspot.lu/2008/10/bifrost-trojan.html"
]
},
"description": "Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).",
"value": "Bifrost"
},
{
"meta": {
"refs": [
"https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/"
]
},
"description": "Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.",
"value": "Blackshades"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/",
"https://blogs.cisco.com/security/talos/darkkomet-rat-spam"
]
},
"description": "DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.",
"value": "DarkComet"
},
{
"meta": {
"refs": [
"https://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99"
]
},
"description": "Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.",
"value": "Lanfiltrator"
},
{
"meta": {
"refs": [
"http://lexmarket.su/thread-27692.html",
"https://www.nulled.to/topic/129749-win32hsidir-rat/"
]
},
"description": "Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.",
"value": "Win32.HsIdir"
},
{
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Optix_Pro",
"https://www.symantec.com/security_response/writeup.jsp?docid=2002-090416-0521-99",
"https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20208"
]
},
"description": "Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K",
"value": "Optix Pro"
},
{
"meta": {
"synonyms": [
"BO2k"
],
"refs": [
"https://en.wikipedia.org/wiki/Back_Orifice_2000",
"https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=10229",
"https://www.symantec.com/security_response/writeup.jsp?docid=2000-121814-5417-99",
"https://www.f-secure.com/v-descs/bo2k.shtml"
]
},
"description": "Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus. ",
"value": "Back Orifice 2000"
},
{
"meta": {
"synonyms": [
"VNC Connect",
"VNC Viewer"
],
"refs": [
"https://www.realvnc.com/"
]
},
"description": "The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another ",
"value": "RealVNC"
},
{
"meta": {
"synonyms": [
"UNRECOM",
"UNiversal REmote COntrol Multi-Platform"
],
"refs": [
"https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf",
"https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml"
]
},
"description": "Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware. ",
"value": "Adwind RAT"
},
{
"meta": {
"refs": [
"https://www.virustotal.com/en/file/b31812e5b4c63c5b52c9b23e76a5ea9439465ab366a9291c6074bfae5c328e73/analysis/1359376345/"
]
},
"value": "Albertino Advanced RAT"
},
{
"meta": {
"refs": [
"https://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99",
"http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/"
]
},
"description": "The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.",
"value": "Arcom"
},
{
"meta": {
"refs": [
"https://leakforums.net/thread-18123?tid=18123&&pq=1"
]
},
"description": "BlackNix rat is a rat coded in delphi. ",
"value": "BlackNix"
},
{
"meta": {
"refs": [
"https://leakforums.net/thread-123872",
"https://techanarchy.net/2014/02/blue-banana-rat-config/"
]
},
"description": "Blue Banana is a RAT (Remote Administration Tool) created purely in Java",
"value": "Blue Banana"
},
{
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"
]
},
"description": "Bozok, like many other popular RATs, is freely available [2]. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.",
"value": "Bozok"
},
{
"meta": {
"refs": [
"https://sinister.ly/Thread-ClientMesh-RAT-In-Built-FUD-Crypter-Stable-DDoSer-No-PortForwading-40-Lifetime",
"https://blog.yakuza112.org/2012/clientmesh-rat-v5-cracked-clean/"
]
},
"description": "ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.",
"value": "ClientMesh"
},
{
"meta": {
"refs": [
"http://www.hackersthirst.com/2011/03/cybergate-rat-hacking-facebook-twitter.html",
"http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/"
]
},
"description": "CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim's passwords and can also get the screen shots of his computer's screen.",
"value": "CyberGate"
},
{
"meta": {
"refs": [
"http://meinblogzumtesten.blogspot.lu/2013/05/dark-ddoser-v56c-cracked.html"
]
},
"value": "Dark DDoSeR"
},
{
"meta": {
"synonyms": [
"DarkRAT"
],
"refs": [
"https://www.infosecurity-magazine.com/blogs/the-dark-rat/",
"http://darkratphp.blogspot.lu/"
]
},
"description": "n March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as Dark RAT a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.",
"value": "DarkRat"
},
{
"meta": {
"refs": [
"https://sites.google.com/site/greymecompany/greame-rat-project"
]
},
"value": "Graeme"
},
{
"meta": {
"refs": [
"http://securityaffairs.co/wordpress/54837/hacking/one-stop-shop-hacking.html"
]
},
"description": "HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.",
"value": "HawkEye"
},
{
"meta": {
"refs": [
"https://www.rekings.com/shop/jrat/"
]
},
"description": "jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.",
"value": "jRAT"
},
{
"meta": {
"refs": [
"https://leakforums.net/thread-479505"
]
},
"description": "jSpy is a Java RAT. ",
"value": "jSpy"
},
{
"meta": {
"refs": [
"http://lost-door.blogspot.lu/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/",
"https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat"
]
},
"description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. ",
"value": "Lost Door"
},
{
"meta": {
"refs": [
"https://leakforums.net/thread-284656"
]
},
"description": "Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.",
"value": "LuxNET"
},
{
"meta": {
"refs": [
"https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat"
]
},
"description": "NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.",
"value": "NJRat"
},
{
"meta": {
"refs": [
"https://www.rekings.com/pandora-rat-2-2/"
]
},
"description": "Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandoras structure is based on advanced client / server architecture. was configured using modern technology.",
"value": "Pandora"
},
{
"meta": {
"synonyms": [
"PredatorPain"
],
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf"
]
},
"description": "Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesnt scale well when there are a lot of infected machines and logs involved.",
"value": "Predator Pain"
},
{
"meta": {
"refs": [
"http://punisher-rat.blogspot.lu/"
]
},
"description": "Remote administration tool",
"value": "Punisher RAT"
},
{
"meta": {
"refs": [
"https://www.rekings.com/spygate-rat-3-2/",
"https://www.symantec.com/security_response/attacksignatures/detail.jsp%3Fasid%3D27950",
"http://spygate-rat.blogspot.lu/"
]
},
"description": "This is tool that allow you to control your computer form anywhere in world with full support to unicode language. ",
"value": "SpyGate"
},
{
"meta": {
"synonyms": [
"SmallNet"
],
"refs": [
"http://small-net-rat.blogspot.lu/"
]
},
"description": "RAT",
"value": "Small-Net"
},
{
"meta": {
"refs": [
"https://www.rekings.com/vantom-rat/"
]
},
"description": "Vantom is a free RAT with good option and very stable.",
"value": "Vantom"
},
{
"meta": {
"refs": [
"https://leakforums.net/thread-497480"
]
},
"description": "Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.",
"value": "Xena"
},
{
"meta": {
"synonyms": [
""
],
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html"
]
},
"description": "This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware. ",
"value": ""
},
{
"meta": {
"refs": [
"https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data"
]
},
"description": "NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.",
"value": "Netwire"
},
{
"meta": {
"refs": [
"https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/"
]
},
"description": "Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .",
"value": "Gh0st RAT"
},
{
"meta": {
"refs": [
"http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/"
]
},
"description": "Plasma RATs stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.",
"value": "Plasma RAT"
}
]
}