misp-galaxy/elements/threat-actor-tools.json

421 lines
12 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"values": [
{
"value": "PlugX",
"description": "Malware"
},
{
"value": "MSUpdater"
},
{
"value": "Poison Ivy",
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
"refs": ["https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"]
},
{
"value": "Torn RAT"
},
{
"value": "ZeGhost"
},
{
"value": "Backdoor.Dripion",
"description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.",
"refs": ["http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan"],
"synonyms": ["Dripion"]
},
{
"value": "Elise Backdoor",
"synonyms": ["Elise"]
},
{
"value": "Trojan.Laziok",
"synonyms": ["Laziok"],
"refs": ["http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"],
"description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
},
{
"value": "Slempo",
"description": "Android-based malware",
"synonyms": ["GM-Bot", "Acecard"]
},
{
"value": "PWOBot",
"description": "We have discovered a malware family named PWOBot that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.",
"refs": ["http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"]
},
{
"value": "Lstudio"
},
{
"value": "Joy RAT"
},
{
"value": "njRAT",
"synonyms": ["Bladakindi"],
"refs": ["http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"]
},
{
"value": "Sakula",
"synonyms": ["Sakurel"]
},
{
"value": "Derusbi"
},
{
"value": "EvilGrab"
},
{
"value": "IEChecker"
},
{
"value": "Trojan.Naid"
},
{
"value": "Backdoor.Moudoor"
},
{
"value": "NetTraveler"
},
{
"value": "Winnti"
},
{
"value": "Mimikatz"
},
{
"value": "WEBC2"
},
{
"value": "Pirpi"
},
{
"value": "RARSTONE"
},
{
"value": "BACKSPACe"
},
{
"value": "XSControl"
},
{
"value": "NETEAGLE"
},
{
"value": "Agent.BTZ",
"synonyms": ["ComRat"]
},
{
"value": "Heseber BOT",
"description": "RAT bundle with standard VNC (to avoid/limit A/V detection)."
},
{
"value": "Agent.dne"
},
{
"value": "Wipbot"
},
{
"value": "Turla"
},
{
"value": "Uroburos"
},
{
"value": "Winexe"
},
{
"value": "Dark Comet",
"description": "RAT initialy identified in 2011 and still actively used."
},
{
"value": "AlienSpy",
"description": "RAT for Apple OS X platforms"
},
{
"value": "Cadelspy",
"synonyms": ["WinSpy"]
},
{
"value": "CMStar",
"refs": ["http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/"]
},
{
"value": "DHS2015",
"synonyms": ["iRAT"],
"refs": ["https://securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf"]
},
{
"value": "Gh0st Rat",
"description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.",
"synonyms": ["Gh0stRat, GhostRat"],
"refs": ["http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf"]
},
{
"value": "Fakem RAT",
"description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ",
"synonyms": ["FAKEM"],
"refs": ["http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf"]
},
{
"value": "MFC Huner",
"synonyms": ["Hupigon", "BKDR_HUPIGON"],
"refs": ["http://blog.trendmicro.com/trendlabs-security-intelligence/japan-us-defense-industries-among-targeted-entities-in-latest-attack/"]
},
{
"value": "Blackshades",
"description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.",
"refs": ["https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-and-fbi-assistant-director-charge-announce-charges-connection","https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-2-blackshades-net/"]
},
{
"value": "CORESHELL"
},
{
"value": "CHOPSTICK"
},
{
"value": "SOURFACE"
},
{
"value": "OLDBAIT"
},
{
"value": "Havex RAT",
"synonyms": ["Havex"]
},
{
"value": "KjW0rm",
"description": "RAT initially written in VB.",
"refs": ["https://www.sentinelone.com/blog/understanding-kjw0rm-malware-we-dive-in-to-the-tv5-cyber-attack/"]
},
{
"value": "LURK"
},
{
"value": "Oldrea"
},
{
"value": "AmmyAdmin"
},
{
"value": "Matryoshka"
},
{
"value": "TinyZBot"
},
{
"value": "GHOLE"
},
{
"value": "CWoolger"
},
{
"value": "FireMalv"
},
{
"value": "Regin"
},
{
"value": "Duqu"
},
{
"value": "Flame"
},
{
"value": "Stuxnet"
},
{
"value": "EquationLaser"
},
{
"value": "EquationDrug"
},
{
"value": "DoubleFantasy"
},
{
"value": "TripleFantasy"
},
{
"value": "Fanny"
},
{
"value": "GrayFish"
},
{
"value": "Babar"
},
{
"value": "Bunny"
},
{
"value": "Casper"
},
{
"value": "NBot"
},
{
"value": "Tafacalou"
},
{
"value": "Tdrop"
},
{
"value": "Troy"
},
{
"value": "Tdrop2"
},
{
"value": "ZXShell",
"synonyms": ["Sensode"],
"refs": ["http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html"]
},
{
"value": "T9000",
"refs": ["http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/"]
},
{
"value": "T5000",
"synonyms": ["Plat1"],
"refs": ["http://www.cylance.com/techblog/Grand-Theft-Auto-Panda.shtml"]
},
{
"value": "Taidoor",
"refs": ["http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks"]
},
{
"value": "Swisyn",
"refs": ["http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/"]
},
{
"value": "Rekaf",
"refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"]
},
{
"value": "Scieron"
},
{
"value": "SkeletonKey",
"refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/"]
},
{
"value": "Skyipot",
"refs": ["http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/"]
},
{
"value": "Spindest",
"refs": ["http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/"]
},
{
"value": "Preshin"
},
{
"value": "Rekaf",
"refs": ["https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"]
},
{
"value": "Oficla"
},
{
"value": "PCClient RAT",
"refs": ["http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/"]
},
{
"value": "Plexor"
},
{
"value": "Mongall",
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
},
{
"value": "NeD Worm",
"refs": ["http://www.clearskysec.com/dustysky/"]
},
{
"value": "NewCT",
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
},
{
"value": "Nflog",
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
},
{
"value": "Janicab",
"refs": ["http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/"]
},
{
"value": "Jripbot",
"synonyms": ["Jiripbot"],
"refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/butterfly-corporate-spies-out-for-financial-gain.pdf"]
},
{
"value": "Jolob",
"refs": ["http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html"]
},
{
"value": "IsSpace",
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"]
},
{
"value": "Hoardy",
"synonyms": ["Hoarde", "Phindolp", "BS2005"]
},
{
"value": "Htran",
"refs": ["http://www.secureworks.com/research/threats/htran/"]
},
{
"value": "HTTPBrowser",
"synonyms": ["TokenControl"],
"refs": ["https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"]
},
{
"value": "Disgufa"
},
{
"value": "Elirks"
},
{
"value": "Snifula",
"synonyms": ["Ursnif"],
"refs": ["https://www.circl.lu/pub/tr-13/"]
},
{
"value": "Aumlib",
"synonyms": ["Yayih", "mswab", "Graftor"],
"refs": ["http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks"]
},
{
"value": "CTRat",
"refs": ["http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html"]
},
{
"value": "Emdivi",
"synonyms": ["Newsripper"],
"refs": ["http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan"]
},
{
"value": "Etumbot",
"synonyms": ["Exploz", "Specfix", "RIPTIDE"],
"refs": ["www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf"]
},
{
"value": "Fexel",
"synonyms": ["Loneagent"]
},
{
"value": "Fysbis",
"refs": ["http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/"]
},
{
"value": "Hikit",
"refs": ["https://blog.bit9.com/2013/02/25/bit9-security-incident-update/"]
}
],
"version" : 1,
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"author": ["Alexandre Dulaunoy", "Florian Roth", "Timo Steffens"],
"type": "threat-actor-tools"
}