misp-galaxy/clusters/cryptominers.json

79 lines
3.3 KiB
JSON

{
"authors": [
"Cisco Talos",
"raw-data"
],
"category": "Cryptominers",
"description": "A list of cryptominer and cryptojacker malware.",
"name": "Cryptominers",
"source": "Open Source Intelligence",
"type": "cryptominers",
"uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
"values": [
{
"description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html",
"https://success.trendmicro.com/solution/000261916",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer",
"https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/"
],
"synonyms": [],
"type": [
"cryptojacker"
]
},
"uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9",
"value": "Lemon Duck"
},
{
"description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE",
"https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
"https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry"
],
"synonyms": [],
"type": [
"cryptojacker"
]
},
"uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed",
"value": "WannaMine"
},
{
"description": "Blue Mockingbird Crypto miner is a crypto-mining payload within DLLs on Windows Systems.",
"meta": {
"refs": [
"https://redcanary.com/blog/blue-mockingbird-cryptominer/"
]
},
"uuid": "3dd091c9-608f-44d6-ac0c-5dfdf9bb4518",
"value": "Blue Mockingbird Cryptominer"
},
{
"description": "The Krane malware uses SSH brute-force techniques to drop the XMRig cryptominer on the target to mine for the Hashvault pool.",
"meta": {
"refs": [
"https://cujo.com/threat-alert-krane-malware/"
]
},
"uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
"value": "Krane"
},
{
"description": "“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.",
"meta": {
"refs": [
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
]
},
"uuid": "428bbf01-7756-48a2-848d-6bca3997f1df",
"value": "Hezb"
}
],
"version": 3
}