mirror of https://github.com/MISP/misp-galaxy
514 lines
16 KiB
JSON
514 lines
16 KiB
JSON
{
|
||
"values": [
|
||
{
|
||
"value": "PlugX",
|
||
"description": "Malware"
|
||
},
|
||
{
|
||
"value": "MSUpdater"
|
||
},
|
||
{
|
||
"value": "Poison Ivy",
|
||
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
|
||
"refs": ["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"]
|
||
},
|
||
{
|
||
"value": "SPIVY",
|
||
"description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"]
|
||
},
|
||
{
|
||
"value": "Torn RAT"
|
||
},
|
||
{
|
||
"value": "ZeGhost"
|
||
},
|
||
{
|
||
"value": "Backdoor.Dripion",
|
||
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
|
||
"refs": ["http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"],
|
||
"synonyms": ["Dripion"]
|
||
},
|
||
{
|
||
"value": "Elise Backdoor",
|
||
"synonyms": ["Elise"]
|
||
},
|
||
{
|
||
"value": "Trojan.Laziok",
|
||
"synonyms": ["Laziok"],
|
||
"refs": ["http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"],
|
||
"description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
|
||
},
|
||
{
|
||
"value": "Slempo",
|
||
"description": "Android-based malware",
|
||
"synonyms": ["GM-Bot", "Acecard"]
|
||
},
|
||
{
|
||
"value": "PWOBot",
|
||
"description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"]
|
||
},
|
||
{
|
||
"value": "Lstudio"
|
||
},
|
||
{
|
||
"value": "Joy RAT"
|
||
},
|
||
{
|
||
"value": "Lost Door RAT",
|
||
"synonyms": ["LostDoor RAT"],
|
||
"descriptions": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
|
||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"]
|
||
},
|
||
{
|
||
"value": "njRAT",
|
||
"synonyms": ["Bladakindi"],
|
||
"refs": ["http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"]
|
||
},
|
||
{
|
||
"value": "NanoCoreRAT",
|
||
"synonyms": ["NanoCore"],
|
||
"refs": ["http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter"]
|
||
},
|
||
{
|
||
"value": "Sakula",
|
||
"synonyms": ["Sakurel"]
|
||
},
|
||
{
|
||
"value": "Derusbi"
|
||
},
|
||
{
|
||
"value": "EvilGrab"
|
||
},
|
||
{
|
||
"value": "IEChecker"
|
||
},
|
||
{
|
||
"value": "Trojan.Naid"
|
||
},
|
||
{
|
||
"value": "Backdoor.Moudoor"
|
||
},
|
||
{
|
||
"value": "NetTraveler"
|
||
},
|
||
{
|
||
"value": "Winnti"
|
||
},
|
||
{
|
||
"value": "Mimikatz"
|
||
},
|
||
{
|
||
"value": "WEBC2"
|
||
},
|
||
{
|
||
"value": "Pirpi"
|
||
},
|
||
{
|
||
"value": "RARSTONE"
|
||
},
|
||
{
|
||
"value": "BACKSPACe"
|
||
},
|
||
{
|
||
"value": "XSControl"
|
||
},
|
||
{
|
||
"value": "NETEAGLE"
|
||
},
|
||
{
|
||
"value": "Agent.BTZ",
|
||
"synonyms": ["ComRat"]
|
||
},
|
||
{
|
||
"value": "Heseber BOT",
|
||
"description": "RAT bundle with standard VNC (to avoid/limit A/V detection)."
|
||
},
|
||
{
|
||
"value": "Agent.dne"
|
||
},
|
||
{
|
||
"value": "Wipbot"
|
||
},
|
||
{
|
||
"value": "Turla"
|
||
},
|
||
{
|
||
"value": "Uroburos"
|
||
},
|
||
{
|
||
"value": "Winexe"
|
||
},
|
||
{
|
||
"value": "Dark Comet",
|
||
"description": "RAT initialy identified in 2011 and still actively used."
|
||
},
|
||
{
|
||
"value": "AlienSpy",
|
||
"description": "RAT for Apple OS X platforms"
|
||
},
|
||
{
|
||
"value": "Cadelspy",
|
||
"synonyms": ["WinSpy"]
|
||
},
|
||
{
|
||
"value": "CMStar",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"]
|
||
},
|
||
{
|
||
"value": "DHS2015",
|
||
"synonyms": ["iRAT"],
|
||
"refs": ["https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf"]
|
||
},
|
||
{
|
||
"value": "Gh0st Rat",
|
||
"description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.",
|
||
"synonyms": ["Gh0stRat, GhostRat"],
|
||
"refs": ["http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"]
|
||
},
|
||
{
|
||
"value": "Fakem RAT",
|
||
"description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ",
|
||
"synonyms": ["FAKEM"],
|
||
"refs": ["http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf"]
|
||
},
|
||
{
|
||
"value": "MFC Huner",
|
||
"synonyms": ["Hupigon", "BKDR_HUPIGON"],
|
||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/"]
|
||
},
|
||
{
|
||
"value": "Blackshades",
|
||
"description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.",
|
||
"refs": ["https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection","https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/"]
|
||
},
|
||
{
|
||
"value": "CORESHELL"
|
||
},
|
||
{
|
||
"value": "CHOPSTICK"
|
||
},
|
||
{
|
||
"value": "SOURFACE"
|
||
},
|
||
{
|
||
"value": "OLDBAIT"
|
||
},
|
||
{
|
||
"value": "Havex RAT",
|
||
"synonyms": ["Havex"]
|
||
},
|
||
{
|
||
"value": "KjW0rm",
|
||
"description": "RAT initially written in VB.",
|
||
"refs": ["https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"]
|
||
},
|
||
{
|
||
"value": "TinyTyphon"
|
||
},
|
||
{
|
||
"value": "Badnews"
|
||
},
|
||
{
|
||
"value": "LURK"
|
||
},
|
||
{
|
||
"value": "Oldrea"
|
||
},
|
||
{
|
||
"value": "AmmyAdmin"
|
||
},
|
||
{
|
||
"value": "Matryoshka"
|
||
},
|
||
{
|
||
"value": "TinyZBot"
|
||
},
|
||
{
|
||
"value": "GHOLE"
|
||
},
|
||
{
|
||
"value": "CWoolger"
|
||
},
|
||
{
|
||
"value": "FireMalv"
|
||
},
|
||
{
|
||
"value": "Regin"
|
||
},
|
||
{
|
||
"value": "Duqu"
|
||
},
|
||
{
|
||
"value": "Flame"
|
||
},
|
||
{
|
||
"value": "Stuxnet"
|
||
},
|
||
{
|
||
"value": "EquationLaser"
|
||
},
|
||
{
|
||
"value": "EquationDrug"
|
||
},
|
||
{
|
||
"value": "DoubleFantasy"
|
||
},
|
||
{
|
||
"value": "TripleFantasy"
|
||
},
|
||
{
|
||
"value": "Fanny"
|
||
},
|
||
{
|
||
"value": "GrayFish"
|
||
},
|
||
{
|
||
"value": "Babar"
|
||
},
|
||
{
|
||
"value": "Bunny"
|
||
},
|
||
{
|
||
"value": "Casper"
|
||
},
|
||
{
|
||
"value": "NBot"
|
||
},
|
||
{
|
||
"value": "Tafacalou"
|
||
},
|
||
{
|
||
"value": "Tdrop"
|
||
},
|
||
{
|
||
"value": "Troy"
|
||
},
|
||
{
|
||
"value": "Tdrop2"
|
||
},
|
||
{
|
||
"value": "ZXShell",
|
||
"synonyms": ["Sensode"],
|
||
"refs": ["http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html"]
|
||
},
|
||
{
|
||
"value": "T9000",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"]
|
||
},
|
||
{
|
||
"value": "T5000",
|
||
"synonyms": ["Plat1"],
|
||
"refs": ["http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml"]
|
||
},
|
||
{
|
||
"value": "Taidoor",
|
||
"refs": ["http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks"]
|
||
},
|
||
{
|
||
"value": "Swisyn",
|
||
"refs": ["http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/"]
|
||
},
|
||
{
|
||
"value": "Rekaf",
|
||
"refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"]
|
||
},
|
||
{
|
||
"value": "Scieron"
|
||
},
|
||
{
|
||
"value": "SkeletonKey",
|
||
"refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/"]
|
||
},
|
||
{
|
||
"value": "Skyipot",
|
||
"refs": ["http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/"]
|
||
},
|
||
{
|
||
"value": "Spindest",
|
||
"refs": ["http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/"]
|
||
},
|
||
{
|
||
"value": "Preshin"
|
||
},
|
||
{
|
||
"value": "Rekaf",
|
||
"refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"]
|
||
},
|
||
{
|
||
"value": "Oficla"
|
||
},
|
||
{
|
||
"value": "PCClient RAT",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/"]
|
||
},
|
||
{
|
||
"value": "Plexor"
|
||
},
|
||
{
|
||
"value": "Mongall",
|
||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
||
},
|
||
{
|
||
"value": "NeD Worm",
|
||
"refs": ["http://www.clearskysec.com/dustysky/"]
|
||
},
|
||
{
|
||
"value": "NewCT",
|
||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
||
},
|
||
{
|
||
"value": "Nflog",
|
||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
||
},
|
||
{
|
||
"value": "Janicab",
|
||
"refs": ["http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/"]
|
||
},
|
||
{
|
||
"value": "Jripbot",
|
||
"synonyms": ["Jiripbot"],
|
||
"refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf"]
|
||
},
|
||
{
|
||
"value": "Jolob",
|
||
"refs": ["http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html"]
|
||
},
|
||
{
|
||
"value": "IsSpace",
|
||
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
|
||
},
|
||
{
|
||
"value": "Hoardy",
|
||
"synonyms": ["Hoarde", "Phindolp", "BS2005"]
|
||
},
|
||
{
|
||
"value": "Htran",
|
||
"refs": ["http://www.secureworks.com/research/threats/htran/"]
|
||
},
|
||
{
|
||
"value": "HTTPBrowser",
|
||
"synonyms": ["TokenControl"],
|
||
"refs": ["https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"]
|
||
},
|
||
{
|
||
"value": "Disgufa"
|
||
},
|
||
{
|
||
"value": "Elirks"
|
||
},
|
||
{
|
||
"value": "Snifula",
|
||
"synonyms": ["Ursnif"],
|
||
"refs": ["https://www.circl.lu/pub/tr-13/"]
|
||
},
|
||
{
|
||
"value": "Aumlib",
|
||
"synonyms": ["Yayih", "mswab", "Graftor"],
|
||
"refs": ["http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks"]
|
||
},
|
||
{
|
||
"value": "CTRat",
|
||
"refs": ["http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html"]
|
||
},
|
||
{
|
||
"value": "Emdivi",
|
||
"synonyms": ["Newsripper"],
|
||
"refs": ["http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan"]
|
||
},
|
||
{
|
||
"value": "Etumbot",
|
||
"synonyms": ["Exploz", "Specfix", "RIPTIDE"],
|
||
"refs": ["www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf"]
|
||
},
|
||
{
|
||
"value": "Fexel",
|
||
"synonyms": ["Loneagent"]
|
||
},
|
||
{
|
||
"value": "Fysbis",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"]
|
||
},
|
||
{
|
||
"value": "Hikit",
|
||
"refs": ["https://blog.bit9.com/2013/02/25/bit9-security-incident-update/"]
|
||
},
|
||
{
|
||
"value": "Hancitor",
|
||
"refs": ["https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"],
|
||
"synonyms": ["Tordal","Chanitor"]
|
||
},
|
||
{
|
||
"value": "Ruckguv",
|
||
"refs": ["https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear"]
|
||
},
|
||
{
|
||
"value": "HerHer Trojan",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"]
|
||
},
|
||
{
|
||
"value": "Helminth backdoor",
|
||
"refs": ["http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"]
|
||
},
|
||
{
|
||
"value": "HDRoot",
|
||
"refs": ["http://williamshowalter.com/a-universal-windows-bootkit/"]
|
||
},
|
||
{
|
||
"value": "IRONGATE",
|
||
"refs": ["https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html"]
|
||
},
|
||
{
|
||
"value": "ShimRAT",
|
||
"refs": ["https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"]
|
||
},
|
||
{
|
||
"value": "X-Agent",
|
||
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/"],
|
||
"synonyms": ["XAgent"]
|
||
},
|
||
{
|
||
"value": "X-Tunnel",
|
||
"synonyms": ["XTunnel"]
|
||
},
|
||
{
|
||
"value": "Foozer",
|
||
"refs": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"]
|
||
},
|
||
{
|
||
"value": "WinIDS",
|
||
"refs": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"]
|
||
},
|
||
{
|
||
"value": "DownRange",
|
||
"refs": ["https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"]
|
||
},
|
||
{
|
||
"value": "Mad Max",
|
||
"refs": ["https://www.arbornetworks.com/blog/asert/mad-max-dga/"]
|
||
},
|
||
{
|
||
"value": "Crimson",
|
||
"description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims",
|
||
"refs": ["https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"]
|
||
},
|
||
{
|
||
"value": "Prikormka",
|
||
"description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.",
|
||
"refs": ["http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf"]
|
||
},
|
||
{
|
||
"value": "NanHaiShu",
|
||
"description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.",
|
||
"refs": ["https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf"]
|
||
}
|
||
|
||
],
|
||
"version": 1,
|
||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||
"author": ["Alexandre Dulaunoy", "Florian Roth", "Timo Steffens"],
|
||
"type": "threat-actor-tools"
|
||
}
|