mirror of https://github.com/MISP/misp-galaxy
87 lines
5.9 KiB
JSON
87 lines
5.9 KiB
JSON
{
|
|
"authors": [
|
|
"raw-data"
|
|
],
|
|
"category": "tool",
|
|
"description": "A list of backdoor malware.",
|
|
"name": "Backdoor",
|
|
"source": "Open Sources",
|
|
"type": "backdoor",
|
|
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
|
|
"values": [
|
|
{
|
|
"description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
|
|
"meta": {
|
|
"date": "July 2018.",
|
|
"refs": [
|
|
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "d84ebd91-58f6-459f-96a1-d028a1719914",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
}
|
|
],
|
|
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd",
|
|
"value": "WellMess"
|
|
},
|
|
{
|
|
"description": "The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.\n\nWhile the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.\n\nThe rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU's memory, but its register file and execution pipeline as well.",
|
|
"meta": {
|
|
"date": "August 2018",
|
|
"refs": [
|
|
"https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/",
|
|
"https://github.com/xoreaxeaxeax/rosenbridge",
|
|
"https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf"
|
|
]
|
|
},
|
|
"uuid": "2bb165dc-9f93-11e8-ae64-d3dbab0dd786",
|
|
"value": "Rosenbridge"
|
|
},
|
|
{
|
|
"description": "The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.\n\n\"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit,\" researchers from Proofpoint explain in an analysis released today.\n\nThe other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.",
|
|
"meta": {
|
|
"refs": [
|
|
"https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/"
|
|
]
|
|
},
|
|
"uuid": "8b50360c-4d16-4f52-be75-e74c27f533df",
|
|
"value": "ServHelper"
|
|
},
|
|
{
|
|
"description": "The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.",
|
|
"meta": {
|
|
"refs": [
|
|
"https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/"
|
|
]
|
|
},
|
|
"uuid": "0ae6636e-87e4-4b4c-a1c8-e14e1cab964f",
|
|
"value": "Rising Sun"
|
|
},
|
|
{
|
|
"description": "A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack.\nThe backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++.\nSLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, \"extracting commands from gist snippets,\" and \"parsing Slack channel communication.\"\nThe campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.",
|
|
"meta": {
|
|
"refs": [
|
|
"https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/"
|
|
]
|
|
},
|
|
"related": [
|
|
{
|
|
"dest-uuid": "bb6492fa-36b5-4f4a-a787-e718e7f9997f",
|
|
"tags": [
|
|
"estimative-language:likelihood-probability=\"likely\""
|
|
],
|
|
"type": "similar"
|
|
}
|
|
],
|
|
"uuid": "a4757e11-0837-42c0-958a-7490cff58687",
|
|
"value": "SLUB"
|
|
}
|
|
],
|
|
"version": 5
|
|
}
|