misp-galaxy/clusters/cryptominers.json

{
  "authors": [
    "Cisco Talos",
    "raw-data"
  ],
  "category": "Cryptominers",
  "description": "A list of cryptominer and cryptojacker malware.",
  "name": "Cryptominers",
  "source": "Open Source Intelligence",
  "type": "cryptominers",
  "uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
  "values": [
    {
      "description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.",
      "meta": {
        "refs": [
          "https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html",
          "https://success.trendmicro.com/solution/000261916",
          "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer",
          "https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/"
        ],
        "synonyms": [],
        "type": [
          "cryptojacker"
        ]
      },
      "uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9",
      "value": "Lemon Duck"
    },
    {
      "description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.",
      "meta": {
        "refs": [
          "https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE",
          "https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
          "https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry"
        ],
        "synonyms": [],
        "type": [
          "cryptojacker"
        ]
      },
      "uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed",
      "value": "WannaMine"
    },
    {
      "description": "Blue Mockingbird Crypto miner is a crypto-mining payload within DLLs on Windows Systems.",
      "meta": {
        "refs": [
          "https://redcanary.com/blog/blue-mockingbird-cryptominer/"
        ]
      },
      "uuid": "3dd091c9-608f-44d6-ac0c-5dfdf9bb4518",
      "value": "Blue Mockingbird Cryptominer"
    },
    {
      "description": "The Krane malware uses SSH brute-force techniques to drop the XMRig cryptominer on the target to mine for the Hashvault pool.",
      "meta": {
        "refs": [
          "https://cujo.com/threat-alert-krane-malware/"
        ]
      },
      "uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
      "value": "Krane"
    }
  ],
  "version": 2
}