for i in range(0,num_read): - buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF-
diff --git a/galaxy.html b/galaxy.html index 1cc1a93..4996b59 100755 --- a/galaxy.html +++ b/galaxy.html @@ -14149,7 +14149,7 @@ Exploit-Kit is a cluster galaxy available in JSON format at Malpedia
Malware galaxy based on Malpedia archive..
+Malware galaxy cluster based on Malpedia..
AnubisSpy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy |
+
+ |
+ |
Bahamut is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut |
+
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/ |
+
+ |
BankBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bankbot |
+
http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html |
+
http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html |
+
+ |
+ |
https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/ |
+
Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. +The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. +Currently the malware has overlays for over 2,200 apps of banks and financial institutions.
+Catelites is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites |
+
https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang |
+
+ |
Charger is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger |
+
+ |
http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html |
+
Chrysaor is also known as:
+Pegasus
+JigglyPuff
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor |
+
https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html |
+
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf |
+
https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html |
+
+ |
+ |
Clientor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor |
+
https://twitter.com/LukasStefanko/status/1042297855602503681 |
+
Connic is also known as:
+SpyBanker
+Links |
+
+ |
https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/ |
+
Cpuminer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer |
+
+ |
DoubleLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker |
+
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/ |
+
DualToy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy |
+
+ |
Dvmap is also known as:
+Links |
+
+ |
https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/ |
+
ExoBot is also known as:
+Links |
+
+ |
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/ |
+
FlexiSpy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy |
+
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
+
FlexNet is also known as:
+gugi
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet |
+
+ |
GhostCtrl is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl |
+
+ |
GlanceLove is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove |
+
+ |
+ |
https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/ |
+
https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/ |
+
+ |
HeroRAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat |
+
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/ |
+
IRRat is also known as:
+Links |
+
+ |
+ |
JadeRAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat |
+
+ |
KevDroid is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid |
+
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html |
+
https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/ |
+
Koler is also known as:
+Links |
+
+ |
+ |
Lazarus is also known as:
++ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus |
+ |
CodeKey is also known as:
+Lazarus ELF Backdoor is also known as:
https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus_elf |
+
TinyNuke is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. The author destroyed his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.
-TinyNuke is also known as:
-Xbot
-MicroBankingTrojan
-NukeBot
-Nuclear Bot
-Loki is also known as:
+ | |
- | |
https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet |
-|
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html |
-|
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/ |
-|
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/ |
-|
https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/ |
+http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/ |
A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.
+Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.
UACMe is also known as:
-Akagi
-LokiBot is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot |
+
https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html |
RadRAT is also known as:
+Marcher is also known as:
+ExoBot
+https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher |
+
https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware |
+|
+ | |
https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html[https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html] |
SNEEPY is also known as:
-ByeByeShell
-MazarBot is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot |
+
https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/ |
+|
https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html |
Misdat is also known as:
+MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.
+MysteryBot is also known as:
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot |
+
https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html[https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html] |
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) -2014 Dreambot (Gozi ISFB variant)
-In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
-See win.gozi for additional historical information.
-DreamBot is also known as:
+OmniRAT is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat |
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
++ |
OneKeyLocker is also known as:
+X-Agent is also known as:
+Popr-d30
+https://twitter.com/malwrhunterteam/status/1001461507513880576 |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30 |
+
http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/ |
+|
http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/ |
HesperBot is also known as:
+Fake Pornhub is also known as:
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub |
+
GlassRAT is also known as:
+Raxir is also known as:
+ | + |
https://twitter.com/PhysicalDrive0/statuses/798825019316916224 |
BackSwap is also known as:
+RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. +The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. +As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.
+RedAlert2 is also known as:
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2 |
https://www.cert.pl/en/news/single/backswap-malware-analysis/ |
+https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html |
+
CryptoFortress is also known as:
+The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.
+Retefe is also known as:
https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/ |
+|
+ | http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/ |
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html |
+http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html |
+
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html |
+|
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html |
+|
+ | |
http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html |
vSkimmer is also known as:
+Roaming Mantis is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis |
http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis |
+https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
+ | https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/ |
GlobeImposter is also known as:
+Rootnik is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik |
https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant |
+|
https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run |
-|
- | |
- | |
https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet |
+
Unidentified 003 is also known as:
+Skygofree is also known as:
https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree |
+
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ |
+
https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf |
+
Daserf is also known as:
+Slempo is also known as:
Nioupale
-Muirim
+SlemBunk
Links
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/
https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html
Morphine is also known as:
+Slocker is also known as:
https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker |
+
+ |
MajikPos is also known as:
+SMSspy is also known as:
http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/ |
+
ATMitch is also known as:
+SpyBanker is also known as:
https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker |
+
+ | |
ScanPOS is also known as:
+SpyNote is also known as:
https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote |
+ |
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
-Quasar RAT is also known as:
+StealthAgent is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent |
- | |
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ |
-|
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
-|
- | |
https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/ |
-|
https://twitter.com/malwrhunterteam/status/789153556255342596 |
-|
+ | https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF |
Icefog is also known as:
+Stealth Mango is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango |
+
Unidentified 037 is also known as:
+Svpeng is also known as:
+ |
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ |
+
Glasses is also known as:
-Wordpress Bruteforcer
-Switcher is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher |
+
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/ |
ZhCat is also known as:
+TeleRAT is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat |
+
Koler is also known as:
+TemptingCedar Spyware is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar |
+
https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware |
Sanny is also known as:
+TinyZ is also known as:
Daws
+Catelites Android Bot
+MarsElite Android Bot
Links
http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html
Micrass is also known as:
+Titan is also known as:
+ | + |
+ | |
https://www.alienvault.com/blogs/labs-research/delivery-keyboy |
Yahoyah is also known as:
-KeyBoy
-Triada is also known as:
+ | + |
https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/ |
+|
http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html |
+|
https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/ |
+|
https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/ |
+|
https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/ |
Limitail is also known as:
+Unidentified APK 001 is also known as:
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001 |
+
+ |
Bolek is also known as:
-KBOT
-Unidentified APK 002 is also known as:
https://asert.arbornetworks.com/communications-bolek-trojan/ |
-|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002 |
Dharma is also known as:
-Arena
-Crysis
-Viper RAT is also known as:
https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat |
+
https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/ |
+|
https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/ |
ModPOS is also known as:
-straxbot
-WireX is also known as:
https://www.fireeye.com/blog/threat-research/2015/11/modpos.html |
+|
https://twitter.com/physicaldrive0/status/670258429202530306 |
+https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/ |
+
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/ |
Unidentified 046 is also known as:
+Xbot is also known as:
+ | + |
+ | |
CreativeUpdater is also known as:
+XRat is also known as:
+ | |
- | |
+ |
Gravity RAT is also known as:
+ZooPark is also known as:
https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark |
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html |
++ |
SOUNDBITE is also known as:
+Ztorg is also known as:
denis
+Qysly
Links
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1
http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2
Datper is also known as:
+Irc16 is also known as:
+ | https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16 |
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses |
-|
http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html |
+
FF RAT is also known as:
+Bashlite is also known as:
+gayfgt
+Gafgyt
+qbot
+torlus
+lizkebab
+https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html |
+https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite |
+
+ | |
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ |
+|
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
CycBot is also known as:
+This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech
+CDorked is also known as:
+CDorked.A
+https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked |
+
https://www.symantec.com/security-center/writeup/2013-050214-5501-99 |
+|
+ | |
https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/ |
+|
+ | |
https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html |
pupy is also known as:
+Chapro is also known as:
https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations |
+|
+ | http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html |
+ | http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a |
+
This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.
+Cpuminer is also known as:
+Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer |
+
+ |
This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.
+This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.
+Ebury is also known as:
+Links |
+
+ |
https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy |
+
https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf |
+
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ |
+
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ |
+
Erebus is also known as:
+Links |
+
+ |
https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/ |
+
ext4 is also known as:
+Links |
+
+ |
https://www.recordedfuture.com/chinese-cyberespionage-operations/ |
+
Hajime is also known as:
+Links |
+
+ |
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf |
+
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
+
+ |
+ |
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things |
+
https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461 |
+
https://blog.netlab.360.com/quick-summary-port-8291-scan-en/ |
+
+ |
Hakai is also known as:
+Links |
+
+ |
+ |
Hide and Seek is also known as:
+HNS
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek |
+
+ |
+ |
+ |
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/ |
+
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/ |
+
https://blog.netlab.360.com/hns-botnet-recent-activities-en/ |
+
IoT Reaper is also known as:
+IoTroop
+Reaper
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper |
+
https://research.checkpoint.com/new-iot-botnet-storm-coming/ |
+
http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/ |
+
https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm |
+
https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/ |
+
JenX is also known as:
+Links |
+
+ |
https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/ |
+
Kaiten is also known as:
+STD
+Links |
+
+ |
+ |
Lady is also known as:
+Links |
+
+ |
+ |
MiKey is also known as:
+Links |
+
+ |
http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger |
+
Mirai is also known as:
+Links |
+
+ |
+ |
+ |
https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/ |
+
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
+
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ |
+
+ |
+ |
http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ |
+
+ |
Mokes is also known as:
+Links |
+
+ |
+ |
Moose is also known as:
+Links |
+
+ |
+ |
http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/ |
+
+ |
MrBlack is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack |
+
+ |
Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.
+Owari is also known as:
+Links |
+
+ |
+ |
https://twitter.com/ankit_anubhav/status/1019647993547550720 |
+
+ |
+ |
+ |
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html |
+
+ |
Penquin Turla is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla |
+
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf |
+
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf |
+
+ |
Persirai is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai |
+
+ |
r2r2 is also known as:
+Links |
+
+ |
https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/ |
+
Rakos is also known as:
+Links |
+
+ |
http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ |
+
Rex is also known as:
+Links |
+
+ |
https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/ |
+
https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/ |
+
Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).
+Satori is also known as:
+Links |
+
+ |
+ |
http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori |
+
+ |
+ |
+ |
+ |
ShellBind is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind |
+
+ |
Shishiga is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga |
+
https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/ |
+
Spamtorte is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte |
+
http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/ |
+
SSHDoor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor |
+
http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html |
+
Stantinko is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko |
+
+ |
Torii is also known as:
+Links |
+
+ |
+ |
Trump Bot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot |
+
+ |
Tsunami is also known as:
+Amnesia
+Radiation
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami |
+
https://www.8ackprotect.com/blog/big_brother_is_attacking_you |
+
+ |
+ |
Turla RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat |
+
Umbreon is also known as:
+Espeon
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon |
+
+ |
http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html |
+
elf.vpnfilter is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter |
+
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1 |
+
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html |
+
https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/ |
+
+ |
+ |
+ |
+ |
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware |
+
elf.wellmess is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess |
+
Wirenet is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet |
+
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html |
+
+ |
X-Agent is also known as:
+splm
+chopstick
+fysbis
+Links |
+
+ |
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
+
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
+
+ |
http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ |
+
Xaynnalc is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc |
+
+ |
Linux DDoS C&C Malware
+XOR DDoS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos |
+
+ |
https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf |
+
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html |
+
Zollard is also known as:
+darlloz
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard |
+
https://blogs.cisco.com/security/the-internet-of-everything-including-malware |
+
DualToy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy |
+
+ |
GuiInject is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject |
+
https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/ |
+
The iOS malware that is installed over USB by osx.wirelurker
+WireLurker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker |
+
+ |
Part of Malware-as-service platform +Used as a generic name for Java-based RAT +Functionality +- collect general system and user information +- terminate process +-log keystroke +-take screenshot and access webcam +- steal cache password from local or web forms +- download and execute Malware +- modify registry +- download components +- Denial of Service attacks +- Acquire VPN certificates
+Initial infection vector +1. Email to JAR files attached +2. Malspam URL to downlaod the malware
+Persistence +- Runkey - HKCU\Software\Microsoft\Windows\current version\run
+Hiding +Uses attrib.exe
+Notes on Adwind +The malware is not known to be proxy aware
+AdWind is also known as:
+AlienSpy
+JSocket
+Frutas
+UNRECOM
+JBifrost
+Sockrat
+Links |
+
+ |
+ |
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat |
+
+ |
https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/ |
+
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885 |
+
https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html |
+
CrossRAT is also known as:
+Trupto
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat |
+
+ |
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf |
+
jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.
+jRAT is also known as:
+Jacksbot
+Links |
+
+ |
+ |
https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered |
+
+ |
jSpy is also known as:
+Links |
+
+ |
https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/ |
+
According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).
+Qarallax RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat |
+
https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/ |
+
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/ |
+
QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …), and it comes as a SaaS. For additional historical context, please see jar.qarallax.
+QRat is also known as:
+Quaverse RAT
+Links |
+
+ |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—Remote-Access-as-a-Service/ |
+
+ |
+ |
Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.
+Ratty is also known as:
+Links |
+
+ |
+ |
AIRBREAK is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak |
+
+ |
Bateleur is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur |
+
+ |
WebAssembly-based crpyto miner.
+CryptoNight is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight |
+
https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec |
+
+ |
CukieGrab is also known as:
+Roblox Trade Assist
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx |
+
+ |
KopiLuwak is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak |
+
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/ |
+
+ |
magecart is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart |
+
https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ |
+
More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: +- d&exec = download and execute PE file +- gtfo = delete files/startup entries and terminate +- more_eggs = download additional/new scripts +- more_onion = run new script and terminate current script +- more_power = run command shell commands
+More_eggs is also known as:
+SpicyOmelette
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs |
+
+ |
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/ |
+
+ |
+ |
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html |
+
https://asert.arbornetworks.com/double-the-infection-double-the-fun/ |
+
+ |
Powmet is also known as:
+Links |
+
+ |
+ |
scanbox is also known as:
+Links |
+
+ |
+ |
+ |
HTML5 Encoding is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext |
+
+ |
Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.
+Maintools.js is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools |
+
+ |
Unidentified 050 (APT32 Profiler) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050 |
+
+ |
https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f |
+
witchcoven is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven |
+
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf |
+
Bella is also known as:
+Links |
+
+ |
+ |
+ |
Careto is also known as:
+Mask
+Appetite
+Links |
+
+ |
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
+
CoinThief is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief |
+
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
+
Coldroot RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat |
+
+ |
CpuMeaner is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner |
+
https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/ |
+
CreativeUpdater is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater |
+
+ |
+ |
+ |
Crisis is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html |
+
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines |
+
+ |
Crossrider is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider |
+
+ |
Dockster is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster |
+
http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html |
+
+ |
Dummy is also known as:
+Links |
+
+ |
+ |
EvilOSX is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx |
+
+ |
+ |
FlashBack is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback |
+
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
+
http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html |
+
http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html |
+
FruitFly is also known as:
+Quimitchin
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly |
+
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ |
+
+ |
+ |
+ |
https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html |
+
+ |
HiddenLotus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus |
+
+ |
iMuler is also known as:
+Revir
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html |
+
+ |
KeRanger is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger |
+
+ |
+ |
+ |
Keydnap is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap |
+
+ |
http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ |
+
+ |
Kitmos is also known as:
+KitM
+Links |
+
+ |
+ |
Komplex is also known as:
+SedUploader
+JHUHUGIT
+JKEYSKW
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex |
+
http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/ |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf |
+
Laoshu is also known as:
+Links |
+
+ |
+ |
+ |
Leverage is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage |
+
https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/ |
+
https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis |
+
MacDownloader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader |
+
https://iranthreats.github.io/resources/macdownloader-macos-malware/ |
+
MacInstaller is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller |
+
+ |
MacRansom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom |
+
https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service |
+
+ |
MacSpy is also known as:
+Links |
+
+ |
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service |
+
MacVX is also known as:
+Links |
+
+ |
+ |
MaMi is also known as:
+Links |
+
+ |
+ |
Mokes is also known as:
+Links |
+
+ |
+ |
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/ |
+
Mughthesec is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec |
+
+ |
OceanLotus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus |
+
+ |
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html |
+
https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/ |
+
+ |
Olyx is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html |
+
+ |
Patcher is also known as:
+Findzip
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher |
+
http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/ |
+
Pirrit is also known as:
+Links |
+
+ |
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf |
+
+ |
Proton RAT is also known as:
+Calisto
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat |
+
https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does |
+
+ |
+ |
+ |
https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/ |
+
+ |
https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ |
+
https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/ |
+
+ |
Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.
+Pwnet is also known as:
+Links |
+
+ |
https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/ |
+
Dok is also known as:
+Retefe
+Links |
+
+ |
http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/ |
+
http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same |
+
https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/ |
+
+ |
General purpose backdoor
+systemd is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd |
+
+ |
Uroburos is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos |
+
https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/ |
+
https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/ |
+
Winnti is also known as:
+Links |
+
+ |
+ |
+ |
WireLurker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker |
+
+ |
+ |
Wirenet is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet |
+
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html |
+
+ |
X-Agent is also known as:
+Links |
+
+ |
https://twitter.com/PhysicalDrive0/status/845009226388918273 |
+
+ |
http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/ |
+
XSLCmd is also known as:
+Links |
+
+ |
+ |
PAS is also known as:
+Links |
+
+ |
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity |
+
+ |
WSO is also known as:
+Webshell by Orb
+Links |
+
+ |
+ |
+ |
Silence DDoS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos |
+
https://www.group-ib.com/resources/threat-research/silence.html |
+
BONDUPDATER is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater |
+
+ |
GhostMiner is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer |
+
https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless |
+
POSHSPY is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy |
+
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html |
+
+ |
PowerWare is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware |
+
https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats |
+
POWRUNER is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner |
+
+ |
QUADAGENT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent |
+
+ |
RogueRobin is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin |
+
+ |
+ |
Tater PrivEsc is also known as:
+Links |
+
+ |
+ |
ThunderShell is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell |
+
+ |
WMImplant is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant |
+
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html |
+
BrickerBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot |
+
+ |
+ |
+ |
+ |
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/ |
+
https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/ |
+
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
+
http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f |
+
Saphyra is also known as:
+Links |
+
+ |
https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/ |
+
+ |
FlexiSpy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy |
+
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
+
The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."
+7ev3n is also known as:
+Links |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/ |
+
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n |
+
9002 RAT is also known as:
+Hydraq
+McRAT
+Links |
+
+ |
+ |
+ |
+ |
https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315 |
+
+ |
https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html |
+
+ |
+ |
+ |
AbaddonPOS is also known as:
+PinkKite
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos |
+
+ |
https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/ |
+
Abbath Banker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker |
+
AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.
+AcridRain is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain |
+
https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/ |
+
Acronym is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym |
+
https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/ |
+
Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.
+AdamLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker |
+
https://twitter.com/JaromirHorejsi/status/813712587997249536 |
+
+ |
win.adkoob is also known as:
+Links |
+
+ |
https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/ |
+
AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.
+AdvisorsBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot |
+
+ |
Adylkuzz is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz |
+
+ |
Agent.BTZ is also known as:
+ComRAT
+Sun rootkit
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz |
+
http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html |
+
https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/ |
+
https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified |
+
+ |
+ |
http://www.intezer.com/new-variants-of-agent-btz-comrat-found/ |
+
http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/ |
+
A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host’s clipboard and beacons this information back to the C2.
+Agent Tesla is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla |
+
+ |
+ |
https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting |
+
https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr |
+
https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html |
+
https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/ |
+
https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting |
+
According to Trend Micro Encyclopia: +ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.
+This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.
+This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.
+This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.
+This backdoor executes commands from a remote malicious user, effectively compromising the affected system.
+Aldibot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot |
+
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot |
+
Project Alice is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm |
+
+ |
Alina POS is also known as:
+alina_spark
+katrina
+alina_eagle
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos |
+
+ |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Casting-a-Shadow-on-POS/ |
+
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-2/ |
+
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-1/ |
+
https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/ |
+
+ |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware—sparks—off-a-new-variant/ |
+
Allaple is also known as:
+Starman
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple |
+
https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/ |
+
https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf |
+
Alma Communicator is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator |
+
+ |
AlmaLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker |
+
ALPC Local PrivEsc is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe |
+
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/ |
+
Alphabet Ransomware is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware |
+
https://twitter.com/JaromirHorejsi/status/813714602466877440 |
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker
Unidentified 050 (APT32 Profiler) is also known as:
+AlphaNC is also known as:
https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc |
+ | https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
TURNEDUP is also known as:
+Alreay is also known as:
+ | + |
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/ |
backspace is also known as:
-Links |
-
- |
Devil’s Rat is also known as:
-Links |
-
RoyalCli is also known as:
-Links |
-
- |
- |
RapidStealer is also known as:
-Links |
-
http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html |
-
WaterSpout is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html |
-
HiddenTear is also known as:
-Links |
-
- |
- |
- |
Brambul is also known as:
-Links |
-
- |
- |
https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/ |
-
SHARPKNOT is also known as:
+Alureon is also known as:
Bitrep
+Olmarik
+Pihar
+TDSS
+TDL
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon |
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf |
+http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html |
+
http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html |
+|
http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html |
StrongPity is also known as:
-Links |
-
https://twitter.com/physicaldrive0/status/786293008278970368 |
-
https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/ |
-
- |
- |
Furtim is also known as:
-Links |
-
- |
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f |
-
Information gathering and downloading tool used to deliver second stage malware to the infected system
-pgift is also known as:
+AMTsol is also known as:
ReRol
+Adupihan
+ |
QtBot is also known as:
-qtproject
-Links |
+|
- |
Combos is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Sinowal is also known as:
-Quarian
-Mebroot
-Anserin
-Theola
-Links |
-
https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2 |
-
https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/ |
-
https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan |
-
gsecdump is also known as:
-Links |
-
- |
nRansom is also known as:
-Links |
-
https://twitter.com/malwrhunterteam/status/910952333084971008 |
-
https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin |
-
https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/ |
-
RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. -The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. -As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.
-RedAlert2 is also known as:
-Links |
-
- |
https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html |
-
Qadars is also known as:
-Links |
-
https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/ |
-
https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf |
-
https://securityintelligence.com/an-analysis-of-the-qadars-trojan/ |
-
https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan |
-
- |
- |
Retadup is also known as:
-Links |
-
- |
Unlock92 is also known as:
-Links |
-
- |
- |
Jimmy is also known as:
-Links |
-
https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/ |
-
X-Agent is also known as:
-fysbis
-splm
-chopstick
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
-
http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ |
-
- |
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
-
Kronos is also known as:
-Links |
-
- |
https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en |
-
https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/ |
-
https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en |
-
https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/ |
-
https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos |
-
- |
https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/ |
-
WebC2-Bolid is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Mirai is also known as:
-Links |
-
- |
https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/ |
-
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
-
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ |
-
- |
- |
http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ |
-
According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.
-This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.
-The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.
-Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.
-PandaBanker is also known as:
-ZeusPanda
-Links |
-
https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker |
-
https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ |
-
- |
https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market |
-
- |
https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/ |
-
- |
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html |
-
https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks |
-
https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/ |
-
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf |
-
https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/ |
-
http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html |
-
https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ |
-
The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
-SmokeLoader is also known as:
-Dofoil
-Links |
-|
- | |
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html |
-|
https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo |
-|
- | |
- | |
- | |
- | |
- | |
+ |
Links |
|
https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet |
-|
- | |
- | |
https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features |
-|
http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda |
https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis |
+|
http://resources.infosecinstitute.com/andromeda-bot-analysis/ |
+https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis |
https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08 |
-|
- | |
- | |
+ | https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html |
https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html |
+https://blog.fortinet.com/2014/05/19/new-anti-analysis-tricks-in-andromeda-2-08 |
+
https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features |
+|
https://blog.fortinet.com/2014/04/16/a-good-look-at-the-andromeda-botnet |
+|
http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/ |
+|
http://resources.infosecinstitute.com/andromeda-bot-analysis/ |
+|
+ | |
+ | |
+ | |
DE Loader is also known as:
+Anel is also known as:
Links |
|
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks |
+|
+ | + |
Antilam is also known as:
+Latinus
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam |
+
Apocalipto is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto |
+
https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf |
+
Apocalypse is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom |
+
+ |
ArdaMax is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax |
+
Arefty is also known as:
+Links |
+
+ |
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/ |
+
Arik Keylogger is also known as:
+Aaron Keylogger
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger |
+
https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/ |
+
+ |
ARS VBS Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader |
+
+ |
+ |
https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/ |
+
AscentLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader |
+
Asprox is also known as:
+Aseljo
+BadSrc
+Links |
+
+ |
http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/ |
+
https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/ |
+
AthenaGo RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago |
+
+ |
ATI-Agent is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent |
+
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
+
ATMii is also known as:
+Links |
+
+ |
https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/ |
+
ATMitch is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch |
+
https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/ |
+
Atmosphere is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere |
+
https://www.group-ib.com/resources/threat-research/silence.html |
+
The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. +Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.
+ATMSpitter is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter |
+
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf |
+
https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf |
+
August Stealer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer |
+
https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html |
+
+ |
Auriga is also known as:
+Riodrv
+Links |
+
+ |
+ |
Ransomware
+Aurora is also known as:
+Links |
+
+ |
+ |
AvastDisabler is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler |
+
https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/ |
+
AVCrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt |
+
+ |
Aveo is also known as:
+Links |
+
+ |
+ |
Avzhan is also known as:
+Links |
+
+ |
+ |
Ayegent is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent |
+
AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
+Azorult is also known as:
+PuffStealer
+Rultazo
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult |
+
+ |
https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers |
+
+ |
+ |
http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html |
+
+ |
+ |
Babar is also known as:
+SNOWBALL
+Links |
+
+ |
https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ |
+
+ |
+ |
https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/ |
+
https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/ |
+
BABYMETAL is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal |
+
+ |
backspace is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace |
+
+ |
BackSwap is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap |
+
https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/ |
+
+ |
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/ |
+
https://www.cert.pl/en/news/single/backswap-malware-analysis/ |
+
BadEncript is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript |
+
https://twitter.com/PhysicalDrive0/status/833067081981710336 |
+
badflick is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick |
+
+ |
BadNews is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews |
+
+ |
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1 |
+
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2 |
+
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf |
+
+ |
Bahamut is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut |
+
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/ |
+
+ |
Banatrix is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix |
+
https://www.cert.pl/en/news/single/banatrix-an-indepth-look/ |
+
bangat is also known as:
+Links |
+
+ |
https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal |
+
Banjori is also known as:
+MultiBanker 2
+BankPatch
+BackPatcher
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori |
+
+ |
+ |
+ |
+ |
Bankshot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot |
+
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF |
+
+ |
BatchWiper is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper |
+
http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html |
+
BBSRAT is also known as:
+Links |
+
+ |
+ |
beendoor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor |
+
+ |
BernhardPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos |
+
https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick |
+
BetaBot is also known as:
+Neurevt
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot |
+
https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39 |
+
+ |
+ |
http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref |
+
https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/ |
+
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en |
+
http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html |
+
BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.
+BillGates is available for *nix-based systems as well as for Windows.
+On Windows, the (Bill)Gates installer typically contains the various modules as linked resources.
+BillGates is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates |
+
https://securelist.com/versatile-ddos-trojan-for-linux/64361/ |
+
+ |
+ |
Biscuit is also known as:
+zxdosml
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit |
+
+ |
Bitsran is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran |
+
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html |
+
BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.
+BKA Trojaner is also known as:
+bwin3_bka
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner |
+
+ |
BlackEnergy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy |
+
https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/ |
+
https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/ |
+
+ |
BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.
+BlackPOS is also known as:
+POSWDS
+Reedum
+Kaptoxa
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos |
+
+ |
BlackRevolution is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution |
+
https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/ |
+
BlackShades is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades |
+
https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/ |
+
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/ |
+
https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/ |
+
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html |
+
Boaxxe is also known as:
+Links |
+
+ |
+ |
Bohmini is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini |
+
Bolek is also known as:
+KBOT
+Links |
+
+ |
https://asert.arbornetworks.com/communications-bolek-trojan/ |
+
+ |
Bouncer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer |
+
+ |
Bozok is also known as:
+Links |
+
+ |
+ |
Brambul is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul |
+
+ |
+ |
https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/ |
+
BravoNC is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc |
+
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
+
There is no reference available for this family and all known samples have version 1.0.0.
+Pdb-strings in the samples suggest that this is an "exclusive" loader, known as "breakthrough" (maybe), e.g. C:\Users\Exclusiv\Desktop\хп-пробив\Release\build.pdb
+The communication url parameters are pretty unique in this combination: +gate.php?hwid=<guid>&os=<OS>&build=1.0.0&cpu=8
+<OS> is one of: +Windows95 +Windows98 +WindowsMe +Windows95family +WindowsNT3 +WindowsNT4 +Windows2000 +WindowsXP +WindowsServer2003 +WindowsNTfamily +WindowsVista +Windows7 +Windows8 +Windows10
+Breakthrough is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader |
+
+ |
Bredolab is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab |
+
+ |
https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/ |
+
BrutPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos |
+
+ |
BS2005 is also known as:
+Links |
+
+ |
+ |
+ |
BTCWare is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware |
+
https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/ |
+
Bugat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bugat_alreadydump |
+
Buhtrap is also known as:
+Ratopak
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap |
+
https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/ |
+
+ |
+ |
https://www.welivesecurity.com/2015/04/09/operation-buhtrap/ |
+
Bundestrojaner is also known as:
+R2D2
+0zapftis
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner |
+
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf |
+
http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html |
+
+ |
Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).
+Bunitu is also known as:
+Links |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/ |
+
+ |
+ |
https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/ |
+
Buterat is also known as:
+spyvoltar
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat |
+
http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html |
+
BYEBY is also known as:
+Links |
+
+ |
+ |
c0d0so0 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0 |
+
CadelSpy is also known as:
+Cadelle
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy |
+
+ |
There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :
+CamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479
+Dropped Files on disk :
+C:\Users\user~1\AppData\Local\Temp\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1
+C:\Users\user~1\AppData\Local\Temp\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8
+C:\ProgramData\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190
+Protecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi
+A new driver is installed : C:\Windows\system32\drivers\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8
+ftusbload2.sys set 28 IRP handlers.
+CamuBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot |
+
https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/ |
+
Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.
+Cannibal Rat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat |
+
http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html |
+
Carbanak is also known as:
+Anunak
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak |
+
+ |
https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf |
+
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html |
+
Carberp is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp |
+
Cardinal RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat |
+
+ |
ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.
+Casper is also known as:
+Links |
+
+ |
https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/ |
+
Catchamas is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas |
+
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
+
CCleaner Backdoor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor |
+
+ |
https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/ |
+
+ |
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident |
+
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html |
+
http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/ |
+
+ |
https://www.wired.com/story/ccleaner-malware-targeted-tech-firms |
+
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer |
+
+ |
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident |
+
http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor |
+
+ |
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html |
+
CenterPOS is also known as:
+cerebrus
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos |
+
https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html |
+
A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.
+Cerber is also known as:
+Links |
+
+ |
http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/ |
+
https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/ |
+
https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/ |
+
https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html |
+
Cerbu is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner |
+
ChChes is also known as:
+Ham Backdoor
+Links |
+
+ |
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html |
+
+ |
+ |
+ |
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
+
CherryPicker POS is also known as:
+cherrypickerpos
+cherrypicker
+cherry_picker
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker |
+
+ |
+ |
ChewBacca is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca |
+
http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/ |
+
Adware that shows advertisements using plugin techniques for popular browsers
+Chinad is also known as:
+Links |
+
+ |
Chthonic is also known as:
+AndroKINS
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic |
+
+ |
+ |
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/ |
+
Citadel is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel |
+
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ |
+
+ |
+ |
+ |
Client Maximus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus |
+
+ |
Cloud Duke is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke |
+
+ |
CMSBrute is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute |
+
https://securelist.com/the-shade-encryptor-a-double-threat/72087/ |
+
CMSTAR is also known as:
+meciv
+Links |
+
+ |
+ |
+ |
+ |
+ |
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:
+Execute commands
+Log keystrokes
+Upload/download files
+SOCKS proxy
+Privilege escalation
+Mimikatz
+Port scanning
+Lateral Movement
+The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
+Cobalt Strike is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike |
+
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
+
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html |
+
https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ |
+
+ |
Cobian RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat |
+
https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat |
+
https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html |
+
CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager.
+CobInt is also known as:
+COOLPANTS
+Links |
+
+ |
+ |
+ |
https://asert.arbornetworks.com/double-the-infection-double-the-fun/ |
+
Cobra Carbon System is also known as:
+Carbon
+Links |
+
+ |
https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra |
+
+ |
https://securelist.com/analysis/publications/65545/the-epic-turla-operation/ |
+
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ |
+
+ |
CockBlocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker |
+
https://twitter.com/JaromirHorejsi/status/817311664391524352 |
+
CodeKey is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey |
+
https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf |
+
Cohhoc is also known as:
+Links |
+
+ |
+ |
Coinminer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/ |
+
Colony is also known as:
+Bandios
+GrayBird
+Links |
+
+ |
+ |
+ |
+ |
Combojack is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack |
+
+ |
Combos is also known as:
+Links |
+
+ |
+ |
ComodoSec is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec |
+
https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt |
+
Computrace is also known as:
+lojack
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace |
+
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/ |
+
https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html |
+
https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research |
+
https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/ |
+
ComradeCircle is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle |
+
+ |
concealment_troy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy |
+
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf |
+
http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html |
+
Conficker is also known as:
+downadup
+traffic converter
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker |
+
http://contagiodump.blogspot.com/2009/05/win32conficker.html |
+
Confucius is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius |
+
+ |
+ |
Contopee is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee |
+
https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks |
+
CookieBag is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag |
+
+ |
Corebot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot |
+
+ |
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/ |
+
http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/ |
+
Coreshell is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
+ |
+ |
http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html |
+
CradleCore is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore |
+
https://blogs.forcepoint.com/security-labs/cradlecore-ransomware-source-code-sale |
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.crashoverride |
+ | |
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf |
Credraptor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor |
+
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
+
Crenufs is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs |
+
Crimson is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson |
+
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF |
+
Crisis is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html |
+
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines |
+
+ |
Cryakl is also known as:
+Links |
+
+ |
+ |
https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/ |
+
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojCryakl-B/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojCryakl-B/detailed-analysis.aspx] |
+
https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware |
+
+ |
CryLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker |
+
CrypMic is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic |
+
+ |
https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/ |
+
Crypt0l0cker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker |
+
http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html |
+
CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.
+CryptoLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker |
+
https://www.secureworks.com/research/cryptolocker-ransomware |
+
+ |
CryptoLuck is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck |
+
+ |
CryptoMix is also known as:
+CryptFile2
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix |
+
https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/ |
+
https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/ |
+
Cryptorium is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium |
+
+ |
CryptoShield is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield |
+
+ |
+ |
CryptoShuffler is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler |
+
+ |
Cryptowall is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall |
+
CryptoWire is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire |
+
+ |
CryptoFortress is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress |
+
https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/ |
+
+ |
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html |
+
CryptoRansomeware is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware |
+
https://twitter.com/JaromirHorejsi/status/818369717371027456 |
+
CryptXXXX is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx |
+
https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/ |
+
CsExt is also known as:
+Links |
+
+ |
+ |
Cuegoe is also known as:
+Windshield?
+Links |
+
+ |
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html |
+
https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal |
+
http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html |
+
+ |
Cueisfry is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry |
+
+ |
Cutlet is also known as:
+Links |
+
+ |
http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html |
+
Cutwail is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail |
+
CyberGate is also known as:
+Rebhip
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate |
+
+ |
CyberSplitter is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter |
+
CycBot is also known as:
+Links |
+
+ |
https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/ |
+
Dairy is also known as:
+Links |
+
+ |
+ |
Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
+DanaBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot |
+
https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/ |
+
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0 |
+
https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/ |
+
+ |
https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/ |
+
DarkComet is also known as:
+Fynloski
+klovbot
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet |
+
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ |
+
https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/ |
+
+ |
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html |
+
DarkMegi is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi |
+
http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html |
+
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html |
+
Darkmoon is also known as:
+Chymine
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon |
+
http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html |
+
http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html |
+
https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml |
+
DarkPulsar is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar |
+
https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/ |
+
DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.
+DarkShell is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell |
+
+ |
DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.
+Darksky is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky |
+
+ |
+ |
+ |
DarkStRat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat |
+
https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/ |
+
Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.
+DarkTequila is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila |
+
+ |
Darktrack RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat |
+
+ |
https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html |
+
Daserf is also known as:
+Muirim
+Nioupale
+Links |
+
+ |
https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/ |
+
+ |
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses |
+
Datper is also known as:
+Links |
+
+ |
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses |
+
+ |
http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html |
+
DDKONG is also known as:
+Links |
+
+ |
+ |
Decebal is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal |
+
https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf |
+
+ |
+ |
Delta(Alfa,Bravo, …) is also known as:
+Links |
+
+ |
https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/ |
+
Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.
+Dented is also known as:
+Links |
+
+ |
DeputyDog is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog |
+
+ |
DeriaLock is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock |
+
+ |
Derusbi is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi |
+
https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf |
+
http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf |
+
https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ |
+
Devil’s Rat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat |
+
Dexter is also known as:
+LusyPOS
+Links |
+
+ |
+ |
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware—Getting-Your-Hands-Dirty/ |
+
https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information |
+
https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html |
+
http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html |
+
+ |
https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html |
+
DE Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.de_loader |
+
+ |
https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks |
+
https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware |
+
Dharma is also known as:
+Crysis
+Arena
+Links |
+
+ |
https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/ |
+
DiamondFox is also known as:
+Crystal
+Gorynych
+Gorynch
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox |
+
https://www.scmagazine.com/inside-diamondfox/article/578478/ |
+
https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/ |
+
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/ |
+
http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/ |
+
+ |
Dimnie is also known as:
+Links |
+
+ |
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ |
+
DirCrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt |
+
+ |
https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf |
+
DistTrack is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack |
+
https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis |
+
+ |
+ |
http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware |
+
http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/ |
+
http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html |
+
DMA Locker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/ |
+
+ |
DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.
+DNSMessenger is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger |
+
https://blog.talosintelligence.com/2017/03/dnsmessenger.html |
+
http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/ |
+
https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html |
+
DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.
+DogHousePower is also known as:
+Shelma
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower |
+
+ |
NgrBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot |
+
https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/ |
+
http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html |
+
+ |
Dorshel is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel |
+
+ |
DoublePulsar is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar |
+
https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/ |
+
https://github.com/countercept/doublepulsar-c2-traffic-decryptor |
+
https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/ |
+
https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/ |
+
Downdelph is also known as:
+DELPHACY
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
+
Downeks is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks |
+
+ |
DownPaper is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper |
+
+ |
DramNudge is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge |
+
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) +2014 Dreambot (Gozi ISFB variant)
+In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.
+See win.gozi for additional historical information.
+DreamBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot |
+
+ |
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
+
OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term." +According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method." +IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."
+Dridex is also known as:
+Links |
+
+ |
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/ |
+
https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/ |
+
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/ |
+
+ |
https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps |
+
https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/ |
+
+ |
https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/ |
+
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ |
+
DROPSHOT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot |
+
+ |
https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/ |
+
https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/ |
+
DtBackdoor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dtbackdoor |
+
DualToy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy |
+
+ |
DarkHotel is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel |
+
https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/ |
+
http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html |
+
https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/ |
+
https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/ |
+
DUBrute is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute |
+
+ |
Dumador is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador |
+
DuQu is also known as:
+Links |
+
+ |
+ |
Duuzer is also known as:
+Links |
+
+ |
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
+
Dyre is also known as:
@@ -16832,7 +25847,7 @@ As a distribution vector RedAlert 2 uses third-party app stores and imitates reaLinks |
|
+ | |
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/ |
@@ -16849,16 +25864,19 @@ As a distribution vector RedAlert 2 uses third-party app stores and imitates rea
|
+ |
MaMi is also known as:
+EDA2 is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom |
+
https://twitter.com/JaromirHorejsi/status/815861135882780673 |
Xtreme RAT is also known as:
-ExtRat
-EHDevel is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel |
https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html |
-|
https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat |
-|
https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html |
+
IcedID Downloader is also known as:
+Elirks is also known as:
Links |
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/ |
-
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ |
-
elf.wellmess is also known as:
-Links |
-
MalumPOS is also known as:
-Links |
-
http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf |
-
Banatrix is also known as:
-Links |
-
https://www.cert.pl/en/news/single/banatrix-an-indepth-look/ |
-
UPAS is also known as:
-Rombrast
-Links |
-
https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html |
-
- |
https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/ |
-
Imminent Monitor RAT is also known as:
-Links |
-
https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/ |
-
CryptXXXX is also known as:
-Links |
-
https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/ |
-
LatentBot is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html |
-
https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access |
-
- |
https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/ |
-
https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/ |
-
PowerDuke is also known as:
-Links |
-
- |
Rombertik is also known as:
-CarbonGrabber
-Links |
-
- |
MirageFox is also known as:
-Links |
-
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ |
-
Tempedreve is also known as:
-Links |
-
Kuaibu is also known as:
-Barys
-Gofot
-Kuaibpy
-Links |
-
Logedrut is also known as:
-Links |
+|
@@ -17248,12 +25940,12 @@ As a distribution vector RedAlert 2 uses third-party app stores and imitates rea |
Jager Decryptor is also known as:
+Elise is also known as:
Links |
+ |
https://securelist.com/blog/research/70726/the-spring-dragon-apt/ |
+
https://www.accenture.com/t20180127T003755Zw/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf[https://www.accenture.com/t20180127T003755Zw/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf] |
+
+ |
+ |
BrutPOS is also known as:
+Emdivi is also known as:
Links |
|
+ | + |
+ | |
http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/ |
+|
https://securelist.com/new-activity-of-the-blue-termite-apt/71876/ |
+|
http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html |
Joao is also known as:
+Empire Downloader is also known as:
Links |
|
https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader |
+
+ |
Enfal is also known as:
+Lurid
+Links |
+
+ |
https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/ |
+
http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf |
+
https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/ |
+
EquationDrug is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug |
+
http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html |
+
https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/ |
+
https://securelist.com/inside-the-equationdrug-espionage-platform/69203/ |
+
https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf |
+
Rough collection EQGRP samples, to be sorted
+Equationgroup (Sorting) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup |
+
https://laanwj.github.io/2016/09/23/seconddate-adventures.html |
+
+ |
+ |
+ |
https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html |
+
https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html |
+
+ |
+ |
+ |
Erebus is also known as:
+Links |
+
+ |
+ |
Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.
+According to nulled[.]to:
+Supported browsers +Chromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.
+Stealing FileZilla
+Stealing an account from Telegram
+Stealing AutoFill
+Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin
+Stealing files from the desktop. Supports any formats, configurable via telegram-bot
+Eredel is also known as:
+Links |
+
+ |
+ |
EternalPetya is also known as:
+ExPetr
+Pnyetya
+Petna
+NotPetya
+Nyetya
+NonPetya
+nPetya
+Diskcoder.C
+BadRabbit
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya |
+
+ |
https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ |
+
+ |
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4 |
+
https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/ |
+
https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/ |
+
http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html |
+
https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b |
+
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/ |
+
+ |
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html |
+
https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/ |
+
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ |
+
https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/ |
+
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/ |
+
+ |
https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna |
+
+ |
+ |
+ |
+ |
https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/ |
+
+ |
+ |
+ |
https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/ |
+
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ |
+
+ |
+ |
+ |
https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html |
+
https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/ |
+
+ |
+ |
EtumBot is also known as:
+HighTide
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot |
+
+ |
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise |
+
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html |
+
Evilbunny is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny |
+
+ |
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab |
+
KAgent is also known as:
-Links |
-
- |
GlanceLove is also known as:
-Links |
-
- |
- |
https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/ |
-
https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/ |
-
- |
Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.
+Privately modded version of the Pony stealer.
Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:
-for i in range(0,num_read): - buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF-
NetWire RC is also known as:
+EvilPony is also known as:
Recam
+CREstealer
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony |
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ |
+https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware |
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data |
+https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/ |
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html |
-|
+ | https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/ |
GetMyPass is also known as:
+Evrial is also known as:
+Links |
+
+ |
+ |
Excalibur is also known as:
getmypos
+Sabresac
+Saber
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur |
https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html |
-|
https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html |
-|
+ | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies |
Bella is also known as:
+MS Exchange Tool is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool |
+ | + |
jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.
-jRAT is also known as:
+Xtreme RAT is also known as:
Jacksbot
+ExtRat
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat |
+ | https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html |
https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered |
+https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html |
+
+ | |
https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat |
Solarbot is also known as:
-Napolar
-Eye Pyramid is also known as:
Links |
|
https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid |
- |
CoinThief is also known as:
-Links |
+https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/ |
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
-
VM Zeus is also known as:
-VMzeus
-ZeusVM
-Zberp
-Links |
-
- |
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/ |
-
https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf |
-
SocksBot is also known as:
-Links |
-
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf |
-
Emdivi is also known as:
-Links |
-
http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/ |
-
http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html |
-
https://securelist.com/new-activity-of-the-blue-termite-apt/71876/ |
-
- |
Satan Ransomware is also known as:
-Links |
-
https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread |
-
- |
https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html |
-
Microcin is also known as:
-Links |
-
https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/ |
-
https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf |
-
Tapaoux is also known as:
-Links |
-
- |
MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.
-MysteryBot is also known as:
-Links |
-
https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html[https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html] |
-
Cohhoc is also known as:
-Links |
-|
+ |
Links |
|
http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.fakedga |
http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html |
+|
FakeRean is also known as:
+Braviax
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean |
+
https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/ |
+
+ |
+ |
+ |
FakeTC is also known as:
+Links |
+
+ |
http://www.welivesecurity.com/2015/07/30/operation-potao-express/ |
+
Fanny is also known as:
+Links |
+
+ |
https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1 |
+
FantomCrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt |
+
https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/ |
+
FastPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos |
+
http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf |
+
+ |
+ |
Felismus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus |
+
+ |
Felixroot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot |
+
https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257 |
+
+ |
Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.
+Feodo is also known as:
+Cridex
+Bugat
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html |
+
+ |
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/ |
+
http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html |
+
FF RAT is also known as:
+Links |
+
+ |
https://www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html |
+
FileIce is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom |
+
+ |
FindPOS is also known as:
+Poseidon
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos |
+
https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/ |
+
+ |
FinFisher RAT is also known as:
+FinSpy
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher |
+
https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html |
+
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html |
+
https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/ |
+
https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/ |
+
+ |
https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf |
+
+ |
Fireball is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball |
+
http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/ |
+
FireCrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt |
+
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/ |
+
FireMalv is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv |
+
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
+
FirstRansom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom |
+
https://twitter.com/JaromirHorejsi/status/815949909648150528 |
+
FlawedAmmyy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy |
+
+ |
+ |
+ |
+ |
FlexiSpy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy |
+
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
+
FlokiBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot |
+
http://blog.talosintel.com/2016/12/flokibot-collab.html#more |
+
https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html |
+
https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/ |
+
+ |
https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/ |
+
https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/ |
+
https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/ |
+
https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/ |
+
Floxif is also known as:
+Links |
+
+ |
https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library |
+
Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.
+Flusihoc is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc |
+
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/ |
+
Fobber is also known as:
+Links |
+
+ |
http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html |
+
http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf |
+
+ |
https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber |
+
http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html |
+
FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
+Formbook is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook |
+
https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html |
+
http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ |
+
http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html |
+
https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/ |
+
+ |
http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html |
+
https://blog.talosintelligence.com/2018/06/my-little-formbook.html |
+
FormerFirstRAT is also known as:
+ffrat
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat |
+
+ |
Freenki Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki |
+
+ |
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html |
+
FriedEx is also known as:
+BitPaymer
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex |
+
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ |
+
Furtim is also known as:
+Links |
+
+ |
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4341&sid=af76b944112a234fa933cc934d21cd9f |
+
+ |
GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.
+It seems to make use of iplogger.com for tracking. +It employed WMI to check the system for +- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor +- IWbemServices::ExecQuery - select * from Win32_VideoController +- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
+GalaxyLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader |
+
gamapos is also known as:
+pios
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos |
+
http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf |
+
Gameover DGA is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga |
+
Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.
+Gameover P2P is also known as:
+ZeuS P2P
+GOZ
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p |
+
+ |
https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf |
+
http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf |
+
+ |
https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf |
+
Gamotrol is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol |
+
win.gandcrab is also known as:
+GrandCrab
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab |
+
+ |
https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/ |
+
https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/ |
+
+ |
http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/ |
+
+ |
+ |
https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html |
+
http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf |
+
+ |
Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).
+Gaudox is also known as:
+Links |
+
+ |
http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html |
+
Gauss is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html |
+
Gazer is also known as:
+WhiteBear
+Links |
+
+ |
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/ |
+
+ |
+ |
+ |
+ |
gcman is also known as:
+Links |
+
+ |
+ |
GearInformer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer |
+
https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html |
+
+ |
Geodo is also known as:
+Emotet
+Heodo
+Links |
+
+ |
https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/ |
+
+ |
https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html |
+
https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html |
+
https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/ |
+
+ |
https://research.checkpoint.com/emotet-tricky-trojan-git-clones/ |
+
+ |
https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader |
+
+ |
https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/ |
+
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor |
+
+ |
https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus |
+
+ |
http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 |
+
GetMail is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail |
+
+ |
GetMyPass is also known as:
+getmypos
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass |
+
https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html |
+
+ |
+ |
https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html |
+
Ghole is also known as:
+CoreImpact (Modified)
+Links |
+
+ |
https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/ |
+
http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf |
+
+ |
Gh0stnet is also known as:
+Remosh
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet |
+
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html |
+
+ |
GhostAdmin is also known as:
+Ghost iBot
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin |
+
+ |
https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html |
+
Ghost RAT is also known as:
+PCRat
+Gh0st RAT
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat |
+
https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/ |
+
http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf |
+
+ |
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
+
http://www.malware-traffic-analysis.net/2018/01/04/index.html |
+
+ |
+ |
+ |
Glasses is also known as:
+Wordpress Bruteforcer
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses |
+
+ |
GlassRAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat |
+
+ |
GlobeImposter is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter |
+
+ |
https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet |
+
+ |
https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant |
+
https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run |
+
+ |
Globe is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom |
+
GlooxMail is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail |
+
+ |
win.glupteba is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba |
+
https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/ |
+
+ |
https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/ |
+
http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/ |
+
+ |
Godzilla Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader |
+
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346 |
+
Goggles is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles |
+
+ |
GoldenEye is also known as:
+Petya/Mischa
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye |
+
http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html |
+
+ |
+ |
GoldDragon is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon |
+
+ |
Golroted is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted |
+
http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html |
+
Goodor is also known as:
+Fuerboos
+Links |
+
+ |
+ |
GoogleDrive RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat |
+
https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf |
+
GooPic Drooper is also known as:
+Links |
+
+ |
+ |
Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.
+GootKit is also known as:
+talalpek
+Xswkit
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit |
+
https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/ |
+
+ |
https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/ |
+
https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps |
+
https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/ |
+
+ |
https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/ |
+
+ |
http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html |
+
https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/ |
+
+ |
http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html |
+
+ |
https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/ |
+
+ |
+ |
GovRAT is also known as:
+Links |
+
+ |
+ |
2000 Ursnif aka Snifula +2006 Gozi v1.0, Gozi CRM, CRM, Papras +2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) +→ 2010 Gozi Prinimalka → Vawtrak/Neverquest
+In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed. +It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.
+In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.
+Gozi is also known as:
+CRM
+Gozi CRM
+Papras
+Snifula
+Ursnif
+Links |
+
+ |
https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 |
+
+ |
+ |
+ |
http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html |
+
GPCode is also known as:
+Links |
+
+ |
https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2 |
+
http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html |
+
+ |
ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html |
+
http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/ |
+
GrabBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot |
+
http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data |
+
Graftor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor |
+
http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html |
+
POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. +Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.
+Grateful POS is also known as:
+FrameworkPOS
+trinity
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos |
+
+ |
http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html |
+
+ |
Gratem is also known as:
+Links |
+
+ |
https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose |
+
Gravity RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat |
+
https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/ |
+
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html |
+
GreenShaitan is also known as:
+eoehttp
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan |
+
+ |
GROK is also known as:
+Links |
+
+ |
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf |
+
gsecdump is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump |
+
+ |
H1N1 Loader is also known as:
+Links |
+
+ |
https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities |
+
Hacksfase is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase |
+
+ |
Py2Exe based tool as found on github.
+HackSpy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy |
+
+ |
Hamweq is also known as:
+Links |
+
+ |
https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf |
+
Hancitor is also known as:
+Chanitor
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor |
+
http://www.morphick.com/resources/lab-blog/closer-look-hancitor |
+
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear |
+
https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader |
+
+ |
+ |
+ |
https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/ |
+
https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html |
+
https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak |
+
HappyLocker (HiddenTear?) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker |
+
Harnig is also known as:
+Piptea
+Links |
+
+ |
https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html |
+
https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html |
+
Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.
+Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.
+Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.
+Havex RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat |
+
+ |
HawkEye Keylogger is also known as:
+Predator Pain
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger |
+
+ |
+ |
+ |
+ |
http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html |
+
+ |
Helauto is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto |
+
+ |
Helminth is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth |
+
+ |
+ |
https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html |
+
Heloag is also known as:
+Links |
+
+ |
https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/ |
+
https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/ |
+
Herbst is also known as:
+Links |
+
+ |
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware |
+
Heriplor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor |
+
+ |
Hermes is also known as:
+Links |
+
+ |
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html |
+
+ |
Hermes Ransomware is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom |
+
+ |
HerpesBot is also known as:
+Links |
+
+ |
HesperBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot |
+
HiddenTear is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear |
+
+ |
+ |
+ |
HideDRV is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf |
+
HiKit is also known as:
+Links |
+
+ |
+ |
https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware |
+
himan is also known as:
+Links |
+
+ |
https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf |
+
Hi-Zor RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat |
+
https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat |
+
homefry is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry |
+
+ |
htpRAT is also known as:
+Links |
+
+ |
+ |
HTran is also known as:
+HUC Packet Transmit Tool
+Links |
+
+ |
+ |
+ |
HttpBrowser is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser |
+
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/ |
+
httpdropper is also known as:
+httpdr0pper
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper |
+
http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html |
+
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf |
+
https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787 |
+
http_troy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy |
+
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf |
+
http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html |
+
Hworm is also known as:
+houdini
+Links |
+
+ |
+ |
HyperBro is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro |
+
https://securelist.com/luckymouse-hits-national-data-center/86083/ |
+
Analysis Observations:
@@ -17896,7 +29869,7 @@ rundll32.exe kernel32,Sleep -sLinks |
|
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/ |
-|
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ |
+|
@@ -17916,23 +29886,28 @@ rundll32.exe kernel32,Sleep -s | |
https://www.fidelissecurity.com/threatgeek/2017/11/tracking-emotet-payload-icedid |
|
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ |
+|
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html |
+|
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/ |
+|
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/ |
+
TreasureHunter is also known as:
-huntpos
-IcedID Downloader is also known as:
Links |
|
https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader |
https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/ |
+https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/ |
+ | http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/ |
AlmaLocker is also known as:
+Icefog is also known as:
Links |
-
Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.
-Ratty is also known as:
-Links |
|
+ | + |
Terminator RAT is also known as:
-Fakem RAT
-Ice IX is also known as:
Links |
|
https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf |
+|
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html |
+|
https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf |
+https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus |
+ | https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/ |
Connic is also known as:
-SpyBanker
-IDKEY is also known as:
Links |
|
https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/ |
+
FlexNet is also known as:
-gugi
-Links |
-
- |
Elise is also known as:
-Links |
-
https://www.accenture.com/t20180127T003755Zw/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf[https://www.accenture.com/t20180127T003755Zw/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf] |
-
- |
https://securelist.com/blog/research/70726/the-spring-dragon-apt/ |
-
- |
Heriplor is also known as:
-Links |
-
- |
August Stealer is also known as:
-Links |
-
- |
https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html |
-
Cutlet is also known as:
-Links |
-
http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html |
-
According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).
-Qarallax RAT is also known as:
-Links |
-
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/ |
-
https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/ |
-
shareip is also known as:
-remotecmd
-Links |
-
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong |
-
Virut is also known as:
-Links |
-
- |
https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/ |
-
KopiLuwak is also known as:
-Links |
-
- |
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/ |
-
Bahamut is also known as:
-Links |
-
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/ |
-
- |
Fobber is also known as:
-Links |
-
- |
http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf |
-
https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber |
-
http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html |
-
http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html |
-
Powersniff is also known as:
-Links |
-
- |
Nemim is also known as:
-Links |
-
https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf |
-
Svpeng is also known as:
-Links |
-
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ |
-
NanoLocker is also known as:
-Links |
-
WebC2-Head is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Keydnap is also known as:
-Links |
-
- |
http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ |
-
- |
Saphyra is also known as:
-Links |
-
https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/ |
-
- |
Geodo is also known as:
-Emotet
-Heodo
-Links |
-
- |
- |
- |
https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader |
-
https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/ |
-
- |
https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus |
-
- |
http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 |
-
Molerat Loader is also known as:
-Links |
-
- |
- |
Snifula is also known as:
-Ursnif
-Links |
-
https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf |
-
Hi-Zor RAT is also known as:
-Links |
-
https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat |
-
Hworm is also known as:
-houdini
-Links |
-
- |
Crimson is also known as:
-Links |
-
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF |
-
The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.
-Retefe is also known as:
-Links |
-
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html |
-
- |
http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html |
-
http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html |
-
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html |
-
http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/ |
-
FlashBack is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html |
-
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
-
http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html |
-
FakeTC is also known as:
-Links |
-
http://www.welivesecurity.com/2015/07/30/operation-potao-express/ |
-
Matsnu is also known as:
-Links |
-
https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf |
-
Sierra(Alfa,Bravo, …) is also known as:
-Destover
-Links |
-|
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
-|
+ |
IISniff is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff |
+
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/ |
Stuxnet is also known as:
+Imecab is also known as:
Links |
|
http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html |
++ |
https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east |
Tinba is also known as:
+Imminent Monitor RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat |
+
https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/ |
+
Infy is also known as:
Zusy
-Illi
-TinyBanker
+Foudre
Links |
|
https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/ |
+|
http://www.theregister.co.uk/2012/06/04/small_banking_trojan/ |
+http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/ |
https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/ |
+|
https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/ |
+https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv |
+ | https://www.intezer.com/prince-of-persia-the-sands-of-foudre/ |
- | |
https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant |
-|
- | |
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html |
-|
http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/ |
-
GrabBot is also known as:
-Links |
-
http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data |
-
Duuzer is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
-
MyloBot is also known as:
-Links |
-
- |
Eye Pyramid is also known as:
-Links |
-
- |
https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/ |
-
DarkPulsar is also known as:
-Links |
-
https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/ |
-
GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.
-It seems to make use of iplogger.com for tracking. -It employed WMI to check the system for -- IWbemServices::ExecQuery - SELECT * FROM Win32_Processor -- IWbemServices::ExecQuery - select * from Win32_VideoController -- IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
-GalaxyLoader is also known as:
-Links |
-
StarsyPound is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
MacDownloader is also known as:
-Links |
-
https://iranthreats.github.io/resources/macdownloader-macos-malware/ |
-
ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper. -ISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.
-Incredibly, it uses an hard-coded user agent string: HardCore Software For : Public
-ISR Stealer is also known as:
-Links |
-
- |
DoublePulsar is also known as:
-Links |
-
https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/ |
-
https://github.com/countercept/doublepulsar-c2-traffic-decryptor |
-
https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/ |
-
https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/ |
-
CenterPOS is also known as:
-cerebrus
-Links |
-
https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html |
-
Thanatos is also known as:
-Alphabot
-Links |
-
- |
DtBackdoor is also known as:
-Links |
-
FlexiSpy is also known as:
-Links |
-
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
-
SNS Locker is also known as:
-Links |
-
WebC2-Rave is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
GROK is also known as:
-Links |
-
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf |
-
NETEAGLE is also known as:
-ScoutEagle
-Links |
-
- |
Enfal is also known as:
-Lurid
-Links |
-
http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf |
-
https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/ |
-
https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/ |
-
Sys10 is also known as:
-Links |
-
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
-
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
-
- |
Synth Loader is also known as:
-Links |
-
MoonWind is also known as:
-Links |
-
- |
Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.
-Schneiken is also known as:
-Links |
-
https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb |
-
- |
Lazarus ELF Backdoor is also known as:
-Links |
-
- |
ZoxPNG is also known as:
-gresim
-Links |
-
http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf |
-
Arik Keylogger is also known as:
-Aaron Keylogger
-Links |
-
- |
https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/ |
-
Bitsran is also known as:
-Links |
-
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html |
-
WebMonitor RAT is also known as:
-Links |
-
- |
ISMDoor is also known as:
-Links |
-
- |
- |
Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It’s primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.
-Retefe is also known as:
-Werdlod
-Tsukuba
-Links |
-
- |
- |
- |
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/ |
-
PowerRatankba is also known as:
-Links |
-
https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/ |
-
- |
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
-
Zebrocy (AutoIT) is also known as:
-Links |
-
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ |
-
DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.
-Darksky is also known as:
-Links |
-
- |
- |
- |
NetTraveler is also known as:
-TravNet
-Links |
-
https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests |
-
https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf |
-
Crypt0l0cker is also known as:
-Links |
-
http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html |
-
Empire Downloader is also known as:
-Links |
-
- |
Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.
-win.flusihoc is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/ |
-
Colony is also known as:
-Bandios
-GrayBird
-Links |
-
- |
- |
- |
SeaSalt is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Dairy is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Crossrider is also known as:
-Links |
-
- |
JripBot is also known as:
-Links |
-
- |
Socks5 Systemz is also known as:
-Links |
-
EtumBot is also known as:
-HighTide
-Links |
-
- |
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html |
-
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise |
-
Golroted is also known as:
-Links |
-
http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html |
-
LogPOS is also known as:
-Links |
-|
https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html |
+
InnaputRAT is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat |
+
PadCrypt is also known as:
+InvisiMole is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole |
- |
FriedEx is also known as:
-Links |
-
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ |
-
Darkmoon is also known as:
-Chymine
-Links |
-
http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html |
-
https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml |
-
http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html |
-
Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.
-Gameover P2P is also known as:
-ZeuS P2P
-GOZ
-Links |
-
https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf |
-
http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf |
-
- |
- |
https://www.fox-it.com/nl/wp-content/uploads/sites/12/FoxIT-Whitepaper_Blackhat-web.pdf |
-
BatchWiper is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html |
-
GuiInject is also known as:
-Links |
-
https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/ |
-
PubNubRAT is also known as:
-Links |
-
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html |
-
Magniber is also known as:
-Links |
-
- |
- |
- |
EDA2 is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/815861135882780673 |
-
Felismus is also known as:
-Links |
-
- |
SunOrcal is also known as:
-Links |
-
- |
http://pwc.blogs.com/cyber_security_updates/2016/03/index.html |
-
Sathurbot is also known as:
-Links |
-
https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/ |
-
Unidentified 029 is also known as:
-Links |
-
Lambert is also known as:
-Links |
-
- |
- |
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7 |
-
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/ |
-
GPCode is also known as:
-Links |
-
http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html |
-
http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/ |
-
- |
ftp://ftp.tuwien.ac.at/languages/php/oldselfphp/internet-security/analysen/index-id-200883584.html |
-
https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2 |
-
Ranbyus is also known as:
-Links |
-
https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/ |
-
https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/ |
-
- |
- |
Nymaim is also known as:
-nymain
-Links |
-
- |
Xpan is also known as:
-Links |
-
https://securelist.com/blog/research/78110/xpan-i-am-your-father/ |
-
https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/ |
-
Odinaff is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
-
Zollard is also known as:
-darlloz
-Links |
-
https://blogs.cisco.com/security/the-internet-of-everything-including-malware |
-
Unidentified 020 (Vault7) is also known as:
-Links |
-
- |
TorrentLocker is also known as:
-Links |
-
- |
- |
gamapos is also known as:
-pios
-Links |
-
http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf |
-
Nautilus is also known as:
-Links |
-
- |
X-Agent is also known as:
-splm
-chopstick
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
-
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/ |
-
- |
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
-
BadEncript is also known as:
-Links |
-
https://twitter.com/PhysicalDrive0/status/833067081981710336 |
-
X-Agent is also known as:
-Popr-d30
-Links |
-
http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/ |
-
http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/ |
-
Allaple is also known as:
-Starman
-Links |
-
https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf |
-
https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/ |
-
Naikon is also known as:
-Links |
-
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
-
- |
FruitFly is also known as:
-Quimitchin
-Links |
-
- |
- |
https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html |
-
- |
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ |
-
ThumbThief is also known as:
-Links |
-
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/ |
-
CCleaner Backdoor is also known as:
-Links |
-
- |
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident |
-
- |
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident |
-
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html |
-
http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/ |
-
- |
https://www.wired.com/story/ccleaner-malware-targeted-tech-firms |
-
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer |
-
- |
https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/ |
-
http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor |
-
- |
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html |
-
ARS VBS Loader is also known as:
-Links |
-
- |
- |
Nocturnal Stealer is also known as:
-Links |
-
https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap |
-
Unidentified 001 is also known as:
-Links |
-
ThunderShell is also known as:
-Links |
-
- |
Karagany is also known as:
-Links |
-
- |
Ghole is also known as:
-CoreImpact (Modified)
-Links |
-
http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf |
-
- |
ZhMimikatz is also known as:
-Links |
-
- |
Vreikstadi is also known as:
-Links |
-
https://twitter.com/malware_traffic/status/821483557990318080 |
-
Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.
-win.phorpiex is also known as:
-Trik
-Links |
-
- |
- |
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/ |
-
https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows |
-
Crisis is also known as:
-Links |
-
- |
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html |
-
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines |
-
HTML5 Encoding is also known as:
-Links |
-
- |
AMTsol is also known as:
-Adupihan
-Links |
-
- |
- |
Thanatos Ransomware is also known as:
-Links |
-
https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html |
-
- |
- |
DiamondFox is also known as:
-Crystal
-Gorynch
-Gorynych
-Links |
-
https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/ |
-
http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/ |
-
https://www.scmagazine.com/inside-diamondfox/article/578478/ |
-
- |
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/ |
-
Spora is also known as:
-Links |
-
https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/ |
-
https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/ |
-
https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas |
-
https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware |
-
- |
- |
Matryoshka RAT is also known as:
-Links |
-
- |
Unidentified 042 is also known as:
-Links |
-
http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/ |
-
TinyTyphon is also known as:
-Links |
-
- |
Uroburos is also known as:
-Links |
-
https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/ |
-
https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/ |
-
CryptoMix is also known as:
-CryptFile2
-Links |
-
https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/ |
-
https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/ |
-
Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.
-Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.
-Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.
-Havex RAT is also known as:
-Links |
-
- |
GhostCtrl is also known as:
-Links |
-
- |
Jaku is also known as:
-Reconcyc
-Links |
-
- |
- |
Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.
-win.triton is also known as:
-Trisis
-HatMan
-Links |
-
- |
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware |
-
- |
- |
- |
Helauto is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
badflick is also known as:
-Links |
-
- |
DualToy is also known as:
-Links |
-
- |
Lamdelin is also known as:
-Links |
-
http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/ |
-
Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.
-PC Surveillance System is also known as:
-PSS
-Links |
-
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/ |
-
According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.
-Kardon Loader is also known as:
-Links |
-
https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/ |
-
https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab |
-
WebC2-Table is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Sedreco is also known as:
-eviltoss
-azzy
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
- |
- |
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
-
Buhtrap is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/diving-buhtrap-banking-trojan-activity/ |
-
MacRansom is also known as:
-Links |
-
- |
https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service |
-
Nagini is also known as:
-Links |
-
http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/ |
-
OpGhoul is also known as:
-Links |
-
- |
Medre is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html |
-
Shylock is also known as:
-Caphaw
-Links |
-
https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/ |
-
http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html |
-
- |
https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/ |
-
https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware |
-
https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw |
-
ShellLocker is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/813726714228604928 |
-
Leverage is also known as:
-Links |
-
https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis |
-
https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/ |
-
Necurs is also known as:
-nucurs
-Links |
-
- |
https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features |
-
http://blog.talosintelligence.com/2017/03/necurs-diversifies.html |
-
https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf |
-
- |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/ |
-
- |
https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/ |
-
Philadephia Ransom is also known as:
-Links |
-
- |
https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html |
-
- |
https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector |
-
https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/ |
-
Evilbunny is also known as:
-Links |
-
- |
- |
Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to:
-Execute commands
-Log keystrokes
-Upload/download files
-SOCKS proxy
-Privilege escalation
-Mimikatz
-Port scanning
-Lateral Movement
-The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
-Cobalt Strike is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html |
-
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
-
- |
https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ |
-
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
-win.medusa is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/ |
-
https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/ |
-
- |
- |
HappyLocker (HiddenTear?) is also known as:
-Links |
-
win.glupteba is also known as:
-Links |
-
- |
http://malwarefor.me/2015-04-13-nuclear-ek-glupteba-and-operation-windigo/ |
-
- |
https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/ |
-
https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/ |
-
PoohMilk Loader is also known as:
-Links |
-
- |
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html |
-
Romeo(Alfa,Bravo, …) is also known as:
-Links |
-
xsPlus is also known as:
-nokian
-Links |
-
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
-
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
-
- |
Bouncer is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Combojack is also known as:
-Links |
-
- |
StarCruft is also known as:
-Links |
-
- |
Ruckguv is also known as:
-Links |
-
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear |
-
CryptoWire is also known as:
-Links |
-
- |
Adware that shows advertisements using plugin techniques for popular browsers
-Chinad is also known as:
-Links |
-
AvastDisabler is also known as:
-Links |
-
https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/ |
-
Lurk is also known as:
-Links |
-
https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader |
-
POSHSPY is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html |
-
- |
IsSpace is also known as:
-Links |
-
- |
QakBot is also known as:
-Pinkslipbot
-Qbot
-Links |
-
- |
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/ |
-
- |
- |
https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf |
-
https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html |
-
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf |
-
Silon is also known as:
-Links |
-
http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm |
-
http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html |
-
Tater PrivEsc is also known as:
-Links |
-
- |
JadeRAT is also known as:
-Links |
-
- |
Stealth Mango is also known as:
-Links |
-
- |
WebC2-DIV is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
TeslaCrypt is also known as:
-Links |
-
- |
https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/ |
-
- |
https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/ |
-
https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf |
-
- |
- |
Wirenet is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html |
-
- |
Mughthesec is also known as:
-Links |
-
- |
Uiwix is also known as:
-Links |
-
https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue |
-
Goggles is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Maktub is also known as:
-Links |
-
https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/ |
-
https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html |
-
https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/ |
-
Slingshot is also known as:
-Links |
-
- |
- |
https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/ |
-
OceanLotus is also known as:
-Links |
-
- |
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html |
-
https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/ |
-
- |
BetaBot is also known as:
-Neurevt
-Links |
-
https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39 |
-
- |
- |
http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref |
-
https://www.arbornetworks.com/blog/asert/beta-bot-a-code-review/ |
-
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en |
-
http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html |
-
Babar is also known as:
-SNOWBALL
-Links |
-
- |
https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/ |
-
https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/ |
-
- |
https://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ |
-
Alina POS is also known as:
-alina_spark
-katrina
-alina_eagle
-Links |
-
- |
- |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware—sparks—off-a-new-variant/ |
-
https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/ |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Casting-a-Shadow-on-POS/ |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-1/ |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-2/ |
-
Vobfus is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html |
-
https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/ |
-
Pony is also known as:
-Fareit
-Links |
-
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf |
-
- |
Banjori is also known as:
-MultiBanker 2
-BankPatch
-BackPatcher
-Links |
-
- |
- |
- |
TeleDoor is also known as:
-Links |
-
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html |
-
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/ |
-
Hacksfase is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Py2Exe based tool as found on github.
-HackSpy is also known as:
-Links |
-
- |
Fireball is also known as:
-Links |
-
http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/ |
-
StarLoader is also known as:
-Links |
-
- |
scanbox is also known as:
-Links |
-
- |
- |
X-Agent is also known as:
-Links |
-
http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/ |
-
https://twitter.com/PhysicalDrive0/status/845009226388918273 |
-
- |
Mirage is also known as:
-Links |
-
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ |
-
FastPOS is also known as:
-Links |
-
- |
- |
http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf |
-
Razy is also known as:
-xcmkds
-Links |
-
https://twitter.com/JaromirHorejsi/status/816915354698076161 |
-
Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. -The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. -Currently the malware has overlays for over 2,200 apps of banks and financial institutions.
-Catelites is also known as:
-Links |
-
https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang |
-
- |
Unidentified 038 is also known as:
-Links |
-
ShadowPad is also known as:
-XShellGhost
-Links |
-
https://securelist.com/shadowpad-in-corporate-networks/81432/ |
-
https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf |
-
http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070 |
-
Vawtrak is also known as:
-NeverQuest
-Links |
-
- |
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak |
-
https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf |
-
Crisis is also known as:
-Links |
-
- |
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html |
-
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines |
-
BadNews is also known as:
-Links |
-
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1 |
-
- |
- |
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf |
-
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2 |
-
Unidentified 032 is also known as:
-Links |
-
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/ |
-
BONDUPDATER is also known as:
-Links |
-
- |
POWRUNER is also known as:
-Links |
-
- |
Netrepser is also known as:
-Links |
-
https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/ |
-
DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.
-DogHousePower is also known as:
-Shelma
-Links |
-
- |
Pushdo is also known as:
-Links |
-
- |
- |
https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/ |
-
Royal DNS is also known as:
-Links |
-
- |
- |
Seduploader is also known as:
-jhuhugit
-jkeyskw
-carberplike
-downrage
-Links |
-
https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/ |
-
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html |
-
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/ |
-
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf |
-
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/ |
-
- |
- |
- |
- |
AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
-Azorult is also known as:
-PuffStealer
-Rultazo
-Links |
-
- |
- |
- |
http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html |
-
https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers |
-
HiKit is also known as:
-Links |
-
- |
https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware |
-
Moose is also known as:
-Links |
-
- |
- |
http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/ |
-
Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.
-Cannibal Rat is also known as:
-Links |
-
http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html |
-
Orcus RAT is also known as:
-Links |
-
https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors |
-
https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/ |
-
- |
- |
Dvmap is also known as:
-Links |
-
https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/ |
-
Syscon is also known as:
-Links |
-
- |
http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/ |
-
Sarhust is also known as:
-Links |
-
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a |
-
A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.
-Zloader is also known as:
-Zeus Terdot
-Links |
-
- |
- |
https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/ |
-
Unidentified 023 is also known as:
-Links |
-
mozart is also known as:
-Links |
-
https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html |
-
DeriaLock is also known as:
-Links |
-
- |
Korlia is also known as:
-bisonal
-Links |
-
https://securitykitten.github.io/2014/11/25/curious-korlia.html |
-
- |
TeleRAT is also known as:
-Links |
-
- |
Pitou is also known as:
-Links |
-
- |
https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf |
-
KillDisk is also known as:
-Links |
-
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
-
- |
Laziok is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector |
-
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802 |
-
BS2005 is also known as:
-Links |
-
- |
- |
Laoshu is also known as:
-Links |
-
- |
- |
EternalPetya is also known as:
-NonPetya
-Diskcoder.C
-NotPetya
-Petna
-Nyetya
-BadRabbit
-nPetya
-ExPetr
-Pnyetya
-Links |
-
- |
- |
- |
- |
https://labsblog.f-secure.com/2017/06/30/eternal-petya-from-a-developers-perspective/ |
-
https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b |
-
https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ |
-
https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/ |
-
http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html |
-
- |
- |
- |
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/ |
-
- |
https://labsblog.f-secure.com/2017/06/29/petya-i-want-to-believe/ |
-
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html |
-
- |
https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/ |
-
- |
https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/ |
-
- |
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ |
-
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ |
-
- |
https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna |
-
- |
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4 |
-
https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/ |
-
- |
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/ |
-
https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/ |
-
https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html |
-
- |
- |
DarkComet is also known as:
-Fynloski
-klovbot
-Links |
-|
- | |
https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/ |
-|
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html |
-|
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ |
+https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/ |
Links |
+ |
https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html |
+
https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb |
https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html |
CMSBrute is also known as:
-Links |
-
https://securelist.com/the-shade-encryptor-a-double-threat/72087/ |
-
Listrix is also known as:
-Links |
-
- |
Ransomlock is also known as:
-WinLock
-Links |
-
- |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2 |
-
Unidentified 045 is also known as:
-Links |
-
WireX is also known as:
-Links |
-
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/ |
-
https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/ |
-
Slave is also known as:
-Links |
-
https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/ |
-
TinyZ is also known as:
-Catelites Android Bot
-MarsElite Android Bot
-Links |
-
- |
RGDoor is also known as:
-Links |
-
- |
- |
Citadel is also known as:
-Links |
-
- |
- |
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ |
-
- |
DualToy is also known as:
-Links |
-
- |
Magala is also known as:
-Links |
-
https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/ |
-
X-Tunnel is also known as:
-xaps
-Links |
-
- |
https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf |
-
https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/ |
-
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
-
- |
https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf |
-
OvidiyStealer is also known as:
-Links |
-
- |
Trump Ransom is also known as:
-Links |
-
CockBlocker is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/817311664391524352 |
-
Cryptorium is also known as:
-Links |
-
- |
FlexiSpy is also known as:
-Links |
-
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
-
PLEAD is also known as:
-TSCookie
-Links |
-
- |
https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html |
-
- |
- |
- |
Sality is also known as:
-Links |
-
- |
Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.
-GootKit is also known as:
-Xswkit
-Links |
-
https://www.lexsi.com/securityhub/homer-simpson-brian-krebs-rencontrent-zeus-gootkit/ |
-
- |
https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/ |
-
https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/ |
-
- |
https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/ |
-
- |
http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html |
-
https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/ |
-
- |
http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html |
-
- |
https://www.cyphort.com/angler-ek-leads-to-fileless-gootkit/ |
-
- |
- |
This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.
-Cpuminer is also known as:
-Links |
-
- |
Ripper ATM is also known as:
-Links |
-
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/ |
-
MacInstaller is also known as:
-Links |
-
- |
Chapro is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html |
-
http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a |
-
Cardinal RAT is also known as:
-Links |
-
- |
BrickerBot is also known as:
-Links |
-
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/ |
-
- |
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/ |
-
- |
http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f |
-
- |
- |
ManameCrypt is also known as:
-CryptoHost
-Links |
-
- |
- |
Switcher is also known as:
-Links |
-
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/ |
-
RAT written in Delphi used by Patchwork APT.
-Unidentified 047 is also known as:
-Links |
-
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ |
-
Infy is also known as:
-Foudre
-Links |
-
http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/ |
-
- |
https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv |
-
- |
Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).
-Bunitu is also known as:
-Links |
-
https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/ |
-
- |
https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/ |
-
- |
Joanap is also known as:
-Links |
-
- |
- |
https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/ |
-
witchcoven is also known as:
-Links |
-
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf |
-
Coreshell is also known as:
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
- |
http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html |
-
- |
A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.
-SnatchLoader is also known as:
-Links |
-
https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/ |
-
- |
https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/ |
-
https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/ |
-
SHAPESHIFT is also known as:
-Links |
-
- |
Proton RAT is also known as:
-Links |
-
https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does |
-
- |
- |
https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/ |
-
- |
https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/ |
-
https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/ |
-
- |
Lazarus is also known as:
-Links |
-
- |
Spedear is also known as:
-Links |
-
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
-
FireMalv is also known as:
-Links |
-
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
-
Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.
-Pwnet is also known as:
-Links |
-
https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/ |
-
A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tacitcs. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.
-TrickBot is also known as:
-Trickster
-TheTrick
-TrickLoader
-Links |
-
- |
- |
http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html |
-
https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre |
-
https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/ |
-
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ |
-
- |
https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/ |
-
- |
http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html |
-
- |
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader |
-
- |
https://blog.fraudwatchinternational.com/malware/trickbot-malware-works |
-
https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/ |
-
- |
- |
https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot |
-
https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html |
-
https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/ |
-
https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf |
-
- |
http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot |
-
http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html |
-
https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ |
-
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html |
-
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core |
-
https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html |
-
- |
https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html |
-
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html |
-
- |
https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer |
-
https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf |
-
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/ |
-
ATI-Agent is also known as:
-Links |
-
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
-
Manifestus is also known as:
-Links |
-
- |
KLRD is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
-
- |
Helminth is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html |
-
- |
- |
ScreenLocker is also known as:
-Links |
-
- |
Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.
-Loda is also known as:
-Nymeria
-Links |
-
https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware |
-
https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/ |
-
Roaming Mantis is also known as:
-Links |
-
https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/ |
-
https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/ |
-
Prikorma is also known as:
-Links |
-
https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf |
-
Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.
-Dented is also known as:
-Links |
-
Cuegoe is also known as:
-Windshield?
-Links |
-
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html |
-
- |
http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html |
-
https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal |
-
CMSTAR is also known as:
-meciv
-Links |
-
- |
- |
- |
- |
Machete is also known as:
-El Machete
-Links |
-
- |
https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html |
-
- |
ChChes is also known as:
-Ham Backdoor
-Links |
-
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html |
-
- |
- |
- |
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
-
BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.
-BlackPOS is also known as:
-Reedum
-POSWDS
-Kaptoxa
-Links |
-
- |
Tyupkin is also known as:
-Links |
-
- |
Dexter is also known as:
-LusyPOS
-Links |
-
https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html |
-
https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware—Getting-Your-Hands-Dirty/ |
-
http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html |
-
- |
https://blog.fortinet.com/2014/03/10/how-dexter-steals-credit-card-information |
-
- |
Spamtorte is also known as:
-Links |
-
http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/ |
-
Swift? is also known as:
-Links |
-
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/ |
-
InvisiMole is also known as:
-Links |
-
https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/ |
-
Excalibur is also known as:
-Sabresac
-Saber
-Links |
-
https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies |
-
Miancha is also known as:
-Links |
-
https://www.contextis.com//documents/30/TA10009_20140127_-CTI_Threat_Advisory-The_Monju_Incident1.pdf[https://www.contextis.com//documents/30/TA10009_20140127-CTI_Threat_Advisory-_The_Monju_Incident1.pdf] |
-
soraya is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/ |
-
XP PrivEsc (CVE-2014-4076) is also known as:
-Links |
-
- |
Abbath Banker is also known as:
-Links |
-
DoubleLocker is also known as:
-Links |
-
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/ |
-
Hide and Seek is also known as:
-Links |
-
- |
- |
CadelSpy is also known as:
-Cadelle
-Links |
-
- |
Auriga is also known as:
-Riodrv
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
DarkMegi is also known as:
-Links |
-
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html |
-
http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html |
-
KeyBoy is also known as:
-Links |
-
https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ |
-
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html |
-
AbaddonPOS is also known as:
-PinkKite
-Links |
-
https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/ |
-
- |
Marcher is also known as:
-ExoBot
-Links |
-
https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware |
-
- |
https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html[https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html] |
-
Rockloader is also known as:
-Links |
-
- |
Lazarus is also known as:
-Links |
-
- |
https://twitter.com/PhysicalDrive0/status/828915536268492800 |
-
http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html |
-
https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html |
-
KrDownloader is also known as:
-Links |
-
- |
CpuMeaner is also known as:
-Links |
-
https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/ |
-
Adylkuzz is also known as:
-Links |
-
- |
TDTESS is also known as:
-Links |
-
- |
TinyZbot is also known as:
-Links |
-
- |
Bateleur is also known as:
-Links |
-
- |
Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).
-Satori is also known as:
-Links |
-
- |
- |
- |
- |
http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori |
-
ManItsMe is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
BlackRevolution is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphi/ |
-
Mokes is also known as:
-Links |
-
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/ |
-
- |
tDiscoverer is also known as:
-Links |
-
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf |
-
Project Alice is also known as:
-Links |
-
- |
AlphaNC is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
-
POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. -Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.
-Grateful POS is also known as:
-Links |
-
http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html |
-
- |
Konni is also known as:
-Links |
-
http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html |
-
https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant |
-
https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/ |
-
http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html |
-
Rootnik is also known as:
-Links |
-
- |
- |
Unidentified APK 002 is also known as:
-Links |
-
A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host’s clipboard and beacons this information back to the C2.
-Agent Tesla is also known as:
-Links |
-
- |
- |
https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting |
-
https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr |
-
https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/ |
-
https://blogs.forcepoint.com/security-labs/part-two-camouflage-netting |
-
FinFisher RAT is also known as:
-FinSpy
-Links |
-
https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/ |
-
https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html |
-
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html |
-
https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/ |
-
https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf |
-
- |
- |
Heloag is also known as:
-Links |
-
https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/ |
-
https://www.arbornetworks.com/blog/asert/trojan-heloag-downloader-analysis/ |
-
Ploutus ATM is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html |
-
http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html |
-
Cryakl is also known as:
-Links |
-
https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/ |
-
https://www.v3.co.uk/v3-uk/news/3026414/belgian-police-release-decryption-keys-for-cryakl-ransomware |
-
- |
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojCryakl-B/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojCryakl-B/detailed-analysis.aspx] |
-
DMA Locker is also known as:
-Links |
-
https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/ |
-
- |
- |
Computrace is also known as:
-lojack
-Links |
-
https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/ |
-
https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html |
-
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/ |
-
https://www.absolute.com/en/resources/faq/absolute-response-to-arbor-lojack-research |
-
KasperAgent is also known as:
-Links |
-
- |
https://www.threatconnect.com/blog/kasperagent-malware-campaign/ |
-
FindPOS is also known as:
-Poseidon
-Links |
-
https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/ |
-
- |
WebC2-Yahoo is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
CukieGrab is also known as:
-Roblox Trade Assist
-Links |
-
- |
Stampedo is also known as:
-Links |
-
- |
Bredolab is also known as:
-Links |
-
https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/ |
-
- |
GoogleDrive RAT is also known as:
-Links |
-
https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf |
-
Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.
-ReactorBot is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under |
-
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html |
-
- |
http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html |
-
HTran is also known as:
-HUC Packet Transmit Tool
-Links |
-
- |
- |
RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."
-It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
-NjRAT is also known as:
-Bladabindi
-Links |
-
http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf |
-
http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf |
-
- |
- |
Tidepool is also known as:
-Links |
-
- |
- |
ZeroAccess is also known as:
-Max++
-Smiscer
-Links |
-
http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html |
-
- |
- |
https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/ |
-
http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html |
-
- |
- |
https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/ |
-
Micropsia is also known as:
-Links |
-
- |
http://blog.talosintelligence.com/2017/06/palestine-delphi.html |
-
RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.
-Notable features of this malware family are the ability to execute commands on the affected machine to retrieve: -machine information -capture the screen -send keyboard and mouse events -keylogging -reboot the system -manage processes (create, kill and enumerate) -manage services (create, start, stop, etc.); and -manage Windows registry entries, open a shell, etc.
-The malware also logs its events in a text log file.
-PlugX is also known as:
-Korplug
-Links |
-
- |
http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html |
-
https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/ |
-
https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf |
-
https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf |
-
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
-
- |
https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/ |
-
https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/ |
-
- |
https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/ |
-
https://securelist.com/time-of-death-connected-medicine/84315/ |
-
- |
http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html |
-
- |
https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf |
-
ChewBacca is also known as:
-Links |
-
http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/ |
-
Contopee is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks |
-
Asprox is also known as:
-Aseljo
-BadSrc
-Links |
-
https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/ |
-
http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/ |
-
DualToy is also known as:
-Links |
-
- |
NewCT is also known as:
-CT
-Links |
-
- |
CrossRAT is also known as:
-Trupto
-Links |
-
- |
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf |
-
Neutrino is also known as:
-Kasidet
-Links |
-
https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/ |
-
https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/ |
-
- |
- |
https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/ |
-
https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/ |
-
- |
http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html |
-
https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex |
-
CryptoRansomeware is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/818369717371027456 |
-
DROPSHOT is also known as:
-Links |
-|
- | |
https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/ |
-|
https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/ |
+https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/ |
BYEBY is also known as:
+ISMAgent is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent |
+
PrincessLocker is also known as:
+ISMDoor is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor |
https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/ |
+|
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/ |
+
MAPIget is also known as:
+iSpy Keylogger is also known as:
Links |
|
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger |
+
AnubisSpy is also known as:
+ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper. +ISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.
+Incredibly, it uses an hard-coded user agent string: HardCore Software For : Public
+ISR Stealer is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer |
+ |
Unidentified 006 is also known as:
+IsSpace is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace |
+
+ |
Winnti is also known as:
+JackPOS is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos |
+ | https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/ |
JackPOS is also known as:
+Jaff is also known as:
Links |
https://www.trustwave.com/Resources/SpiderLabs-Blog/JackPOS-%E2%80%93-The-House-Always-Wins/ |
-
OmniRAT is also known as:
-Links |
-
- |
- |
Filecoder is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/877811773826641920 |
-
Popcorn Time is also known as:
-Links |
-
https://twitter.com/malwrhunterteam/status/806595092177965058 |
-
ShellBind is also known as:
-Links |
-
- |
Rakos is also known as:
-Links |
-
http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/ |
-
ISMAgent is also known as:
-Links |
-
- |
Chthonic is also known as:
-Links |
-
- |
ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.
-Casper is also known as:
-Links |
-
https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/ |
-
Hancitor is also known as:
-Chanitor
-Links |
-
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear |
-
- |
http://www.morphick.com/resources/lab-blog/closer-look-hancitor |
-
https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader |
-
https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/ |
-
https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html |
-
- |
https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak |
-
- |
Turla RAT is also known as:
-Links |
-
PittyTiger RAT is also known as:
-Links |
-
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf |
-
- |
Silence is also known as:
-Links |
-
- |
- |
w32times is also known as:
-Links |
-
- |
Kurton is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
MiniASP is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a "real" Zeus SSL sample.
-Zeus SSL is also known as:
-Links |
-
EvilOSX is also known as:
-Links |
-
- |
- |
WebAssembly-based crpyto miner.
-CryptoNight is also known as:
-Links |
-
https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec |
-
- |
GlooxMail is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Harnig is also known as:
-Piptea
-Links |
-
https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html |
-
https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html |
-
XBot POS is also known as:
-Links |
-
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html |
-
ATMii is also known as:
-Links |
-
https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/ |
-
jSpy is also known as:
-Links |
-
https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/ |
-
Salgorea is also known as:
-Links |
-
https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf |
-
Alureon is also known as:
-TDL
-Olmarik
-TDSS
-Pihar
-Links |
-
http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html |
-
http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html |
-
http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html |
-
SSHDoor is also known as:
-Links |
-
http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html |
-
QHost is also known as:
-Tolouge
-Links |
-
Mangzamel is also known as:
-junidor
-mengkite
-vedratve
-Links |
-
- |
Punkey POS is also known as:
-Links |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/ |
-
https://www.pandasecurity.com/mediacenter/malware/punkeypos/ |
-
ONHAT is also known as:
-Links |
-
https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview |
-
Remexi is also known as:
-Links |
-
https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions |
-
- |
Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension.
-Velso Ransomware is also known as:
-Links |
-
- |
Pykspa is also known as:
-Links |
-
https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/ |
-
- |
- |
DistTrack is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html |
-
http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/ |
-
http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware |
-
- |
https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis |
-
- |
PAS is also known as:
-Links |
-
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity |
-
- |
BTCWare is also known as:
-Links |
-
https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/ |
-
AVCrypt is also known as:
-Links |
-
- |
Sisfader is also known as:
-Links |
-
- |
Cryptowall is also known as:
-Links |
-
Plexor is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7 |
-
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/ |
-
SeaDaddy is also known as:
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
-
Zebrocy is also known as:
-Links |
-
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ |
-
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
-
Graftor is also known as:
-Links |
-
http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html |
-
MiKey is also known as:
-Links |
-
http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger |
-
DarkHotel is also known as:
-Links |
-
https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/ |
-
https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/ |
-
http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html |
-
https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/ |
-
Multigrain POS is also known as:
-Links |
-
https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/ |
-
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html |
-
rdasrv is also known as:
-Links |
-
https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf |
-
Rurktar is also known as:
-RCSU
-Links |
-
https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction |
-
Unidentified 048 (Lazarus?) is also known as:
-Links |
-
- |
Zeus is also known as:
-Zbot
-Links |
-
- |
http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html |
-
http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html |
-
http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html |
-
http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html |
-
- |
http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html |
-
https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite |
-
- |
- |
https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20 |
-
http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html |
-
- |
http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html |
-
- |
- |
- |
http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html |
-
Simda is also known as:
-iBank
-Links |
-
- |
MacSpy is also known as:
-Links |
-
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service |
-
Matrix Ransom is also known as:
-Links |
-
Shifu is also known as:
-Links |
-
http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/ |
-
Slocker is also known as:
-Links |
-
- |
Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
-DanaBot is also known as:
-Links |
-
https://0ffset.wordpress.com/2018/06/05/post-0x08-analyzing-danabot-downloader/ |
-
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0 |
-
Jaff is also known as:
-Links |
+|
@@ -30118,29 +30434,12 @@ manage Windows registry entries, open a shell, etc. |
CryLocker is also known as:
+Jager Decryptor is also known as:
Links |
-
MazarBot is also known as:
-Links |
|
https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html |
-|
https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor |
Cobian RAT is also known as:
-Links |
-
https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html |
-
https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat |
-
Matrix Banker is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/ |
-
HeroRAT is also known as:
-Links |
-
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/ |
-
PowerWare is also known as:
-Links |
-
https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats |
-
FileIce is also known as:
-Links |
-
- |
Ice IX is also known as:
-Links |
-
https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/ |
-
- |
https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus |
-
Komplex is also known as:
+Jaku is also known as:
JHUHUGIT
-JKEYSKW
-SedUploader
+Reconcyc
Links |
|
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+|
+ | |
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf |
-|
http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/ |
-|
https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/ |
-
2000 Ursnif aka Snifula -2006 Gozi v1.0, Gozi CRM, CRM, Papras -2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) -→ 2010 Gozi Prinimalka → Vawtrak/Neverquest
-In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed. -It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.
-In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.
-Gozi is also known as:
-Ursnif
-Snifula
-Gozi CRM
-Papras
-CRM
-Links |
-
http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html |
-
- |
- |
https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 |
-
- |
Gameover DGA is also known as:
-Links |
-
Radamant is also known as:
-Links |
-
https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/ |
-
Winnti is also known as:
-Links |
-
- |
http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/ |
-
- |
https://www.protectwise.com/blog/winnti-evolution-going-open-source.html |
-
- |
- |
QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …), and it comes as a SaaS. For additional historical context, please see jar.qarallax.
-QRat is also known as:
-Quaverse RAT
-Links |
-
https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—Remote-Access-as-a-Service/ |
-
- |
- |
Derusbi is also known as:
-Links |
-
https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf |
-
http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf |
-
https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/ |
-
Careto is also known as:
-Appetite
-Mask
-Links |
-
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed |
-
Triada is also known as:
-Links |
-
https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/ |
-
https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/ |
-
https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/ |
-
https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/ |
-
http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html |
-
EquationDrug is also known as:
-Links |
-
https://securelist.com/inside-the-equationdrug-espionage-platform/69203/ |
-
https://cdn.securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf |
-
https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/ |
-
http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html |
-
elf.vpnfilter is also known as:
-Links |
-
- |
- |
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1 |
-
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware |
-
https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/ |
-
Penquin Turla is also known as:
-Links |
-
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf |
-
- |
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf |
-
Catchamas is also known as:
-Links |
-
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
-
BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.
-BillGates is available for *nix-based systems as well as for Windows.
-On Windows, the (Bill)Gates installer typically contains the various modules as linked resources.
-BillGates is also known as:
-Links |
-
https://securelist.com/versatile-ddos-trojan-for-linux/64361/ |
-
- |
- |
Feodo is also known as:
-Bugat
-Cridex
-Links |
-
http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html |
-
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/ |
-
http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html |
-
XSLCmd is also known as:
-Links |
-
- |
Mamba is also known as:
-HDDCryptor
-DiskCryptor
-Links |
-
https://securelist.com/the-return-of-mamba-ransomware/79403/ |
-
- |
Downdelph is also known as:
-DELPHACY
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
-
AscentLoader is also known as:
-Links |
-
Mutabaha is also known as:
-Links |
-
- |
UrlZone is also known as:
-Shiotob
-Bebloh
-Links |
-
- |
- |
https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/ |
-
https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html |
-
https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/ |
-
https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan |
-
https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/ |
-
WireLurker is also known as:
-Links |
-
- |
- |
Chrysaor is also known as:
-JigglyPuff
-Pegasus
-Links |
-
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf |
-
https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html |
-
- |
https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html |
-
WannaCryptor is also known as:
-Wana Decrypt0r
-Wcry
-WannaCry
-Links |
-
- |
https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html |
-
- |
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 |
-
https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e |
-
https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58 |
-
- |
https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/ |
-
- |
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html |
-
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
-
https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign |
-
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ |
-
https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/ |
-
http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ |
-
https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d |
-
Unidentified 013 (Korean) is also known as:
-Links |
-
http://blog.talosintelligence.com/2017/02/korean-maldoc.html |
-
Ordinypt is also known as:
-Links |
-
- |
- |
xxmm is also known as:
-ShadowWalker
-Links |
-
- |
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses |
-
Rambo is also known as:
-brebsd
-Links |
-
https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor |
-
Arefty is also known as:
-Links |
-
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/ |
-
FireCrypt is also known as:
-Links |
-
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/ |
-
LockPOS is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/ |
-
https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html |
-
https://www.cyberbit.com/new-lockpos-malware-injection-technique/ |
-
Unidentified 028 is also known as:
-Links |
-
Tsunami is also known as:
-Radiation
-Amnesia
-Links |
-
- |
- |
https://www.8ackprotect.com/blog/big_brother_is_attacking_you |
-
Nymaim2 is also known as:
-Links |
-
https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/ |
-
Nanocore RAT is also known as:
-Links |
-
- |
https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/ |
-
homefry is also known as:
-Links |
-
- |
Coldroot RAT is also known as:
-Links |
-
- |
iSpy Keylogger is also known as:
-Links |
-
- |
The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. -Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.
-ATMSpitter is also known as:
-Links |
-
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf |
-
https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf |
-
Patcher is also known as:
-Findzip
-Links |
-
http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/ |
-
Cueisfry is also known as:
-Links |
-
- |
Unidentified 051 is also known as:
-Links |
-
- |
Bundestrojaner is also known as:
-Links |
-
http://www.stoned-vienna.com/analysis-of-german-bundestrojaner.html |
-
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf |
-
GreenShaitan is also known as:
-eoehttp
-Links |
-
- |
Misfox is also known as:
-ModPack
-MixFox
-Links |
-
H1N1 Loader is also known as:
-Links |
-
https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities |
-
Client Maximus is also known as:
-Links |
-
- |
ZooPark is also known as:
-Links |
-
- |
- |
SamSam is also known as:
-Links |
-
- |
https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/ |
-
- |
- |
http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html |
-
Kelihos is also known as:
-Links |
-
https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/ |
-
https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/ |
-
https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/ |
-
- |
Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.
-Reaver is also known as:
-Links |
-
- |
owaauth is also known as:
-luckyowa
-Links |
-
https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/ |
-
Trochilus RAT is also known as:
-Links |
-
- |
- |
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
-
AthenaGo RAT is also known as:
-Links |
-
- |
SquirtDanger is also known as:
-Links |
-
- |
Unidentified 035 is also known as:
-Links |
-
Volgmer is also known as:
-FALLCHILL
-Manuscrypt
-Links |
-
- |
This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.-
MBRlock is also known as:
-DexLocker
-Links |
-
http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html |
-
- |
- |
https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d |
-
Erebus is also known as:
-Links |
-
https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/ |
-
Sword is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
BlackEnergy is also known as:
-Links |
-
- |
https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/ |
-
https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/ |
-
AdWind is also known as:
-JBifrost
-JSocket
-AlienSpy
-UNRECOM
-Frutas
-Links |
-
https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/ |
-
- |
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat |
-
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885 |
-
- |
HideDRV is also known as:
-Links |
-
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
-
http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf |
-
FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
-Formbook is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html |
-
http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ |
-
http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html |
-
https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/ |
-
- |
http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html |
-
https://blog.talosintelligence.com/2018/06/my-little-formbook.html |
-
MPK is also known as:
-Links |
-
- |
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
-
9002 RAT is also known as:
-McRAT
-Hydraq
-Links |
-
- |
- |
- |
https://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/6894315 |
-
- |
https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html |
-
- |
- |
PetrWrap is also known as:
-Links |
-
- |
- |
Buterat is also known as:
-spyvoltar
-Links |
-
http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html |
-
Privately modded version of the Pony stealer.
-EvilPony is also known as:
-CREstealer
-Links |
-
https://www.s21sec.com/en/blog/2017/07/ramnit-and-its-pony-module/ |
-
https://techhelplist.com/spam-list/1104-2017-03-27-your-amazon-com-order-has-shipped-malware |
-
https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/ |
-
KeRanger is also known as:
-Links |
-
- |
- |
- |
Troldesh is also known as:
-Shade
-Links |
-
https://securelist.com/the-shade-encryptor-a-double-threat/72087/ |
-
- |
KHRAT is also known as:
-Links |
-
- |
- |
Stantinko is also known as:
-Links |
-
- |
Ransoc is also known as:
-Links |
-
- |
NexusLogger is also known as:
-Links |
-
- |
https://twitter.com/PhysicalDrive0/status/842853292124360706 |
-
Decebal is also known as:
-Links |
-
- |
https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf |
-
- |
TinyLoader is also known as:
-Links |
-|
https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0 |
+
Cobra Carbon System is also known as:
-Carbon
-Links |
-
- |
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ |
-
- |
https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra |
-
https://securelist.com/analysis/publications/65545/the-epic-turla-operation/ |
-
HiddenLotus is also known as:
-Links |
-
- |
Umbreon is also known as:
-Espeon
-Links |
-
- |
http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html |
-
For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.
-Locky Loader is also known as:
-Links |
-
ZXShell is also known as:
-Sensocode
-Jasus is also known as:
Links |
|
- | |
+ | |
+ |
MacVX is also known as:
+Jigsaw is also known as:
Links |
|
+ |
sykipot is also known as:
-getkys
-Jimmy is also known as:
Links |
|
https://www.alienvault.com/blogs/labs-research/sykipot-is-back |
-|
+ | |
- | |
- |
StealthAgent is also known as:
-Links |
-|
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF |
+https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/ |
Upatre is also known as:
+Joanap is also known as:
Links |
|
https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/ |
+|
+ |
Hamweq is also known as:
-Links |
+|
https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf |
+https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/ |
NetSupportManager RAT is also known as:
+Joao is also known as:
Links |
|
- | |
+ | |
https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/ |
+https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/ |
Jolob is also known as:
Links |
+ |
WebC2-GreenCat is also known as:
+JQJSNICKER is also known as:
Links |
|
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker |
+
+ |
JripBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot |
+
+ |
KAgent is also known as:
+Links |
+
+ |
+ |
Karagany is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany |
+
+ |
According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.
+Kardon Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader |
+
https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/ |
+
https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab |
Karius is also known as:
Links |
|
https://research.checkpoint.com/banking-trojans-development/ |
+|
https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/ |
|
https://research.checkpoint.com/banking-trojans-development/ |
+
Alreay is also known as:
+KasperAgent is also known as:
Links |
|
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent |
+
+ | |
https://www.threatconnect.com/blog/kasperagent-malware-campaign/ |
Stresspaint is also known as:
+Kazuar is also known as:
Links |
|
+ | |
- | |
https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/ |
-|
+ |
Scote is also known as:
+Kegotip is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip |
Rough collection EQGRP samples, to be sorted
-Equationgroup (Sorting) is also known as:
+Kelihos is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos |
+ | https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/ |
https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html |
+https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/ |
+ | https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/ |
- | |
https://laanwj.github.io/2016/09/23/seconddate-adventures.html |
-|
- | |
- | |
https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html |
+
CrypMic is also known as:
-Links |
-
- |
https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/ |
-
Zeus Sphinx is also known as:
-Links |
-
- |
- |
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/ |
-
Locky (Decryptor) is also known as:
-Links |
-
MimiKatz is also known as:
-Links |
-
- |
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/ |
-
http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle |
-
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
-
win.gandcrab is also known as:
-Links |
-
https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html |
-
- |
- |
- |
FakeRean is also known as:
+KeyBoy is also known as:
Braviax
+TSSL
Links |
|
https://blog.threattrack.com/fakerean-comes-of-age-turns-hard-core/ |
+|
+ | https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html |
+ | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ |
+
+ | |
https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ |
Nexster Bot is also known as:
+APT3 Keylogger is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3 |
+
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong |
+|
+ | |
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/ |
Mosquito is also known as:
+KEYMARBLE is also known as:
Links |
|
https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble |
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf |
+
Moker is also known as:
+KHRAT is also known as:
Links |
|
https://breakingmalware.com/malware/moker-part-2-capabilities/ |
+|
https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/ |
+|
https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/ |
-|
http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network |
+
Zeus MailSniffer is also known as:
+Kikothac is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac |
+
https://www.group-ib.com/resources/threat-research/silence.html |
+
FantomCrypt is also known as:
+KillDisk is also known as:
Links |
|
https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk |
GearInformer is also known as:
-Links |
+http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
- | |
https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html |
-
SslMM is also known as:
-Links |
-
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
-
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
-
- |
FirstRansom is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/815949909648150528 |
-
BernhardPOS is also known as:
-Links |
-
https://www.morphick.com/resources/news/bernhardpos-new-pos-malware-discovered-morphick |
-
iMuler is also known as:
-Revir
-Links |
-
http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html |
-
- |
Kovter is also known as:
-Links |
-
- |
https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/ |
-
Makadocs is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html |
-
https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs |
-
Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.
-Lethic is also known as:
-Links |
-
http://www.malware-traffic-analysis.net/2017/11/02/index.html |
-
http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html |
-
https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/ |
-
http://resources.infosecinstitute.com/win32lethic-botnet-analysis/ |
-
WndTest is also known as:
-Links |
-
- |
Unidentified 034 is also known as:
-Links |
-
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/ |
-
ComradeCircle is also known as:
-Links |
-
- |
Goodor is also known as:
-Fuerboos
-Links |
-
- |
Tofsee is also known as:
-Gheg
-Links |
-
- |
https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/ |
-
https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/ |
-
AdultSwine is also known as:
-Links |
-
https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/ |
-
Morto is also known as:
-Links |
-
http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html |
-
- |
- |
KrBanker is also known as:
-BlackMoon
-Links |
-
- |
https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan |
-
- |
http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-BlackMoon_Ver_1.0_External_ENG.pdf[http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming-_BlackMoon_Ver_1.0_External_ENG.pdf] |
-
The iOS malware that is installed over USB by osx.wirelurker
-WireLurker is also known as:
-Links |
-
- |
Unidentified 043 is also known as:
-Links |
-
Szribi is also known as:
-Links |
-
https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel |
-
- |
- |
CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.
-CryptoLocker is also known as:
-Links |
-
- |
https://www.secureworks.com/research/cryptolocker-ransomware |
-
WebC2-AdSpace is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
TemptingCedar Spyware is also known as:
-Links |
-
https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware |
-
Cloud Duke is also known as:
-Links |
-
- |
taidoor is also known as:
-simbot
-Links |
-
https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html |
-
- |
http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html |
-
CyberSplitter is also known as:
-Links |
-
Trump Bot is also known as:
-Links |
-
- |
Unidentified 025 (Clickfraud) is also known as:
-Links |
-
- |
Winsloader is also known as:
-Links |
-
- |
Pteranodon is also known as:
-Links |
-
https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/ |
-
FormerFirstRAT is also known as:
-ffrat
-Links |
-
- |
Rustock is also known as:
-Links |
-|
http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf |
-|
http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html |
-|
http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html |
-|
https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html |
-|
https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/ |
-|
- | |
- | |
http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/ |
+
Links |
|
+ | |
+ | |
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/ |
|
+ |
Irc16 is also known as:
+KLRD is also known as:
Links |
|
+ | + |
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
+|
Shishiga is also known as:
+Koadic is also known as:
Links |
|
https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/ |
++ |
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
+|
Agent.BTZ is also known as:
+KokoKrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt |
+
+ |
Konni is also known as:
+Links |
+
+ |
http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html |
+
http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html |
+
https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/ |
+
https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant |
+
KoobFace is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface |
+
Korlia is also known as:
Sun rootkit
-ComRAT
+Bisonal
Links |
|
http://www.intezer.com/new-variants-of-agent-btz-comrat-found/ |
+|
https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/ |
+https://securitykitten.github.io/2014/11/25/curious-korlia.html |
+ | |
http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html |
+|
https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified |
+https://www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf |
http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/ |
-|
+ |
Zezin is also known as:
+Kovter is a Police Ransomware
+Feb 2012 - Police Ransomware +Aug 2013 - Became AD Fraud +Mar 2014 - Ransomware to AD Fraud malware +June 2014 - Distributed from sweet orange exploit kit +Dec 2014 - Run affiliated node +Apr 2015 - Spread via fiesta and nuclear pack +May 2015 - Kovter become fileless +2016 - Malvertising campaign on Chrome and Firefox +June 2016 - Change in persistence +July 2017 - Nemucod and Kovter was packed together +Jan 2018 - Cyclance report on Persistence
+Kovter is also known as:
Links |
|
+ | |
+ | https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/ |
+
+ | |
https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf |
SeDll is also known as:
+KPOT Stealer is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer |
+ | https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/ |
MrBlack is also known as:
-Links |
-
- |
Unidentified 031 is also known as:
-Links |
-
ThreeByte is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html |
-
FlokiBot is also known as:
-Links |
-
https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/ |
-
https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/ |
-
https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html |
-
https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/ |
-
- |
http://blog.talosintel.com/2016/12/flokibot-collab.html#more |
-
https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/ |
-
https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/ |
-
Avzhan is also known as:
-Links |
-
- |
Kaiten is also known as:
+KrBanker is also known as:
STD
+BlackMoon
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker |
+
https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan |
+|
http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming_-BlackMoon_Ver_1.0_External_ENG.pdf[http://training.nshc.net/ENG/Document/virus/20140305_Internet_Bank_Pharming-_BlackMoon_Ver_1.0_External_ENG.pdf] |
+|
+ | |
Evrial is also known as:
+KrDownloader is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader |
+
Revenge RAT is also known as:
-Links |
-
- |
http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/ |
-
JenX is also known as:
-Links |
-
https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/ |
-
NewCore RAT is also known as:
-Links |
-
- |
Fanny is also known as:
-Links |
-
https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1 |
-
Shurl0ckr is also known as:
-Links |
-
- |
CryptoShield is also known as:
-Links |
-
- |
- |
IoT Reaper is also known as:
+Kronos is also known as:
Reaper
-IoTroop
+Osiris
Links |
|
http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/ |
+|
https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm |
+https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack |
https://research.checkpoint.com/new-iot-botnet-storm-coming/ |
+https://www.proofpoint.com/us/threat-insight/post/kronos-reborn |
https://embedi.com/blog/grim-iot-reaper-1-and-0-day-vulnerabilities-at-the-service-of-botnets/ |
++ |
https://www.lexsi.com/securityhub/overview-kronos-banking-malware-rootkit/?lang=en |
+|
https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/ |
+|
https://www.lexsi.com/securityhub/kronos-decrypting-the-configuration-file-and-injects/?lang=en |
+|
https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/ |
+|
https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos |
+|
https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/ |
+|
+ | |
https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/ |
+
Kuaibu is also known as:
+Barys
+Gofot
+Kuaibpy
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8 |
+
Kuluoz is also known as:
+Links |
+
+ |
Kurton is also known as:
+Links |
+
+ |
+ |
Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes "q=[ENCRYPTED DATA]" in the URI.
+Kwampirs is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs |
+
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
+
Lambert is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert |
+
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/ |
+
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7 |
+
+ |
+ |
Lamdelin is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin |
+
http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/ |
+
LatentBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot |
+
+ |
https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html |
+
https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/ |
+
https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/ |
+
https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access |
+
Lazarus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.lazarus |
+
+ |
https://twitter.com/PhysicalDrive0/status/828915536268492800 |
+
https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html |
+
http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html |
+
Laziok is also known as:
+Links |
+
+ |
https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector |
+
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802 |
+
Leash is also known as:
+Links |
+
+ |
+ |
Leouncia is also known as:
+shoco
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia |
+
+ |
https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html |
+
https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html |
+
Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.
+Lethic is also known as:
+Links |
+
+ |
https://www.arbornetworks.com/blog/asert/lethic-spambot-analysis-pills-watches-and-diplomas/ |
+
http://resources.infosecinstitute.com/win32lethic-botnet-analysis/ |
+
http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html |
+
http://www.malware-traffic-analysis.net/2017/11/02/index.html |
+
Limitail is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail |
+
Listrix is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix |
+
+ |
According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system.
+The source is on GitHub: https://github.com/zettabithf/LiteHTTP
+LiteHTTP is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp |
+
https://malware.news/t/recent-litehttp-activities-and-iocs/21053 |
+
Locky is also known as:
Links |
|
+ | |
http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html |
|
+ | https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/ |
+
http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html |
@@ -34646,10 +31909,7 @@ Both libraries are legitimate Windows drivers used to interact with the componen
https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/ |
- | |
https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/ |
+|
https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html |
@@ -34658,12 +31918,12 @@ Both libraries are legitimate Windows drivers used to interact with the componen
Cpuminer is also known as:
+Locky (Decryptor) is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor |
Mebromi is also known as:
+For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.
+Locky Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader |
+
LockPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos |
+
https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/ |
+
https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html |
+
https://www.cyberbit.com/new-lockpos-malware-injection-technique/ |
+
Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.
+Loda is also known as:
MyBios
+Nymeria
Links |
|
https://www.symantec.com/connect/blogs/bios-threat-showing-again |
+|
https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ |
+https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware |
http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html |
-|
http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/ |
+https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/ |
Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.
-Maintools.js is also known as:
+Logedrut is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut |
+
Floxif is also known as:
+LogPOS is also known as:
Links |
|
https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library |
++ |
https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html |
Persirai is also known as:
-Links |
-
- |
WildFire is also known as:
-Links |
-
https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/ |
-
UDPoS is also known as:
-Links |
-
https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html |
-
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns |
-
BankBot is also known as:
-Links |
-
- |
https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/ |
-
http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html |
-
http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html |
-
- |
Skarab Ransom is also known as:
-Links |
-
- |
WebC2-UGX is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Confucius is also known as:
-Links |
-
- |
- |
CyberGate is also known as:
-Rebhip
-Links |
-
- |
"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMe
LokiBot is also known as:
+Loki Password Stealer (PWS) is also known as:
+Loki
+LokiPWS
+LokiBot
+Links |
|
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws |
+|
https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file |
+|
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/ |
+|
+ | |
http://www.malware-traffic-analysis.net/2017/06/12/index.html |
|
https://www.lastline.com/blog/password-stealing-malware-loki-bot/ |
-|
https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file |
-|
- | |
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/ |
+https://www.lastline.com/blog/password-stealing-malware-loki-bot/ |
Bankshot is also known as:
-Links |
+https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf |
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF |
-|
+ |
Luminosity RAT is also known as:
Links |
|
https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat |
+|
+ | |
+ | |
https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark |
|
http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html |
|
- | |
+ | https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/ |
running_rat is also known as:
+Lurk is also known as:
Links |
|
+ | + |
https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader |
WinMM is also known as:
+Luzo is also known as:
Links |
|
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
++ |
Lyposit is also known as:
+Lucky Locker
+Adneukine
+Bomba Locker
+Links |
|
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit |
+
https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/ |
+|
http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html |
+|
http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html |
+
Machete is also known as:
+El Machete
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.machete |
+
+ |
https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html |
+
+ |
MadMax is also known as:
+Links |
+
+ |
+ |
Magala is also known as:
+Links |
+
+ |
https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/ |
+
Magniber is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber |
+
+ |
+ |
+ |
MajikPos is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos |
+
http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/ |
+
Makadocs is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs |
+
http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html |
+
https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs |
+
MakLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader |
+
https://twitter.com/James_inthe_box/status/1046844087469391872 |
+
Maktub is also known as:
+Links |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/ |
+
https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html |
+
https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/ |
+
MalumPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos |
+
http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf |
+
Mamba is also known as:
+HDDCryptor
+DiskCryptor
+Links |
+
+ |
+ |
https://securelist.com/the-return-of-mamba-ransomware/79403/ |
+
ManameCrypt is also known as:
+CryptoHost
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt |
+
+ |
+ |
Mangzamel is also known as:
+junidor
+mengkite
+vedratve
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel |
+
+ |
Manifestus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware |
+
+ |
ManItsMe is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme |
+
+ |
MAPIget is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget |
+
+ |
Marap is a downloader, named after its command and control (C&C) phone home parameter "param" spelled backwards. It is written in C and contains a few notable anti-analysis features.
+Marap is also known as:
+Links |
+
+ |
+ |
Matrix Banker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker |
+
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/ |
+
Matrix Ransom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom |
+
Matryoshka RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat |
+
+ |
Matsnu is also known as:
+Links |
+
+ |
https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf |
+
This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.+
MBRlock is also known as:
+DexLocker
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock |
+
+ |
+ |
https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d |
+
http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html |
+
Mebromi is also known as:
+MyBios
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi |
+
http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html |
+
https://www.symantec.com/connect/blogs/bios-threat-showing-again |
+
http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/ |
+
https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ |
+
Medre is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html |
+
Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
+win.medusa is also known as:
+Links |
+
+ |
+ |
+ |
https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/ |
+
https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/ |
+
Mewsei is also known as:
+Links |
+
+ |
Miancha is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha |
+
https://www.contextis.com//documents/30/TA10009_20140127_-CTI_Threat_Advisory-The_Monju_Incident1.pdf[https://www.contextis.com//documents/30/TA10009_20140127-CTI_Threat_Advisory-_The_Monju_Incident1.pdf] |
+
Micrass is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass |
+
+ |
Microcin is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin |
+
https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/ |
+
https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf |
+
Micropsia is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia |
+
+ |
http://blog.talosintelligence.com/2017/06/palestine-delphi.html |
+
https://research.checkpoint.com/apt-attack-middle-east-big-bang/ |
+
Mikoponi is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi |
+
MILKMAID is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid |
@@ -35255,12 +33184,12 @@ RULE SID RULE NAME |
FlexiSpy is also known as:
+MimiKatz is also known as:
Links |
|
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz |
+
+ | |
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
+|
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/ |
+|
http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle |
DirCrypt is also known as:
+MiniASP is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp |
https://www.checkpoint.com/download/public-files/TCC_WP_Hacking_The_Hacker.pdf |
+
ZeroT is also known as:
+Mirage is also known as:
Links |
|
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx |
++ |
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ |
RTM is also known as:
+MirageFox is also known as:
Links |
|
https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox |
+
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ |
Dorshel is also known as:
+Mirai is also known as:
Links |
|
+ | + |
https://twitter.com/PhysicalDrive0/status/830070569202749440 |
+|
https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/ |
+|
https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html |
Kazuar is also known as:
+Misdat is also known as:
Links |
|
+ | + |
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf |
WebC2-Qbp is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."
-7ev3n is also known as:
-Links |
-
https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/ |
-
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n |
-
GooPic Drooper is also known as:
-Links |
-
- |
HttpBrowser is also known as:
-Links |
-
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/ |
-
RawPOS is also known as:
-Links |
-
- |
OpBlockBuster is also known as:
-Links |
-
http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/ |
-
Apocalipto is also known as:
-Links |
-
https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf |
-
Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.
-AdamLocker is also known as:
-Links |
-
- |
https://twitter.com/JaromirHorejsi/status/813712587997249536 |
-
RokRAT is also known as:
-Links |
-
- |
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html |
-
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html |
-
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html |
-
- |
https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/ |
-
Viper RAT is also known as:
-Links |
-
https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/ |
-
https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/ |
-
WebC2-Kt3 is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Pirrit is also known as:
-Links |
-
- |
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf |
-
Xaynnalc is also known as:
-Links |
-
- |
Conficker is also known as:
+Misfox is also known as:
traffic converter
+MixFox
downadup
+ModPack
Links |
|
http://contagiodump.blogspot.com/2009/05/win32conficker.html |
+
Acronym is also known as:
+Miuref is also known as:
Links |
https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/ |
-
Credraptor is also known as:
-Links |
-
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
-
Dockster is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html |
-
- |
MS Exchange Tool is also known as:
-Links |
-
- |
- |
Darktrack RAT is also known as:
-Links |
-
- |
https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html |
-
Raxir is also known as:
-Links |
-
https://twitter.com/PhysicalDrive0/statuses/798825019316916224 |
-
Stabuniq is also known as:
-Links |
-
http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html |
-
https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers |
-
WMI Ghost is also known as:
-Wimmie
-Syndicasec
-Links |
-
- |
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
-
Carbanak is also known as:
-Anunak
-Links |
-|
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html |
-|
https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf |
-|
+ |
MM Core is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core |
+
https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose |
CryptoLuck is also known as:
+MobiRAT is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat |
+
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.
+Mocton is also known as:
PE timestamps suggest that it came into existence in the second half of 2014.
+Links |
+
+ |
Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).
-YoungLotus is also known as:
+ModPOS is also known as:
DarkShare
+straxbot
Links |
|
+ | + |
https://www.fireeye.com/blog/threat-research/2015/11/modpos.html |
+|
https://twitter.com/physicaldrive0/status/670258429202530306 |
Satana is also known as:
+Moker is also known as:
Links |
|
+ | + |
https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/ |
+|
https://breakingmalware.com/malware/moker-part-2-capabilities/ |
+|
http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network |
+|
https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/ |
GhostAdmin is also known as:
-Ghost iBot
-Mokes is also known as:
Links |
|
+ | |
https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html |
-
SpyBanker is also known as:
-Links |
-
- |
- |
Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).
-Gaudox is also known as:
-Links |
-
http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html |
-
NgrBot is also known as:
-Links |
-
https://securingtomorrow.mcafee.com/mcafee-labs/ngrbot-spreads-via-chat/ |
-
- |
http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html |
-
CookieBag is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Snojan is also known as:
-Links |
-
- |
Smominru is also known as:
-Ismo
-Links |
-
- |
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/ |
-
Alphabet Ransomware is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/813714602466877440 |
-
Olyx is also known as:
-Links |
-
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html |
-
- |
Koadic is also known as:
-Links |
-
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
-
- |
RedAlpha is also known as:
-Links |
-
- |
Shujin is also known as:
-Links |
-
- |
- |
Xbot is also known as:
-Links |
-
- |
- |
WMImplant is also known as:
-Links |
-
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html |
-
HyperBro is also known as:
-Links |
-|
https://securelist.com/luckymouse-hits-national-data-center/86083/ |
+
Mole is also known as:
Links |
+ |
Gh0stnet is also known as:
-Remosh
-Molerat Loader is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader |
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html |
-
RedLeaves is also known as:
-Links |
+|
http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html |
-|
https://www.accenture.com/t20180423T055005Zw/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf[https://www.accenture.com/t20180423T055005Zw/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf] |
-|
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
-|
- | |
https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves |
-|
- |
WellMess is also known as:
-Links |
-
- |
Woolger is also known as:
-WoolenLogger
-Links |
-
http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf |
-
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
-
GoldenEye is also known as:
-Petya/Mischa
-Links |
-
- |
- |
http://www.threatgeek.com/2017/02/spying-on-goldeneye-ransomware.html |
-
Dok is also known as:
-Retefe
-Links |
-
http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/ |
-
- |
http://www.brycampbell.co.uk/new-blog/2017/4/30/retefe-and-osxdok-one-and-the-same |
-
https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/ |
-
SynAck is also known as:
-Links |
-
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/ |
-
Incorporates code of Quasar RAT.
-XPCTRA is also known as:
-Expectra
-Links |
-
- |
https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis |
-
GetMail is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
NewPosThings is also known as:
-Links |
-
https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/ |
-
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html |
-
https://asert.arbornetworks.com/lets-talk-about-newposthings/ |
-
http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/ |
-
BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.
-BKA Trojaner is also known as:
-bwin3_bka
-Links |
-
- |
Prilex is also known as:
-Links |
-
- |
- |
BravoNC is also known as:
-Links |
-
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
-
Neutrino POS is also known as:
-Jimmy
-Links |
-|
https://securelist.com/neutrino-modification-for-pos-terminals/78839/ |
-|
https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/ |
+
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner |
+
https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/ |
Godzilla Loader is also known as:
+MoonWind is also known as:
Links |
|
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4349&p=28427#p28346 |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind |
+
Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.
+Morphine is also known as:
Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine |
+
Sakula RAT is also known as:
+Morto is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html |
+
+ |
+ |
Mosquito is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito |
+
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf |
+
https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/ |
+
mozart is also known as:
+Links |
+
+ |
https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html |
+
MPK is also known as:
+Links |
+
+ |
+ |
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
+
MPKBot is also known as:
+Links |
+
+ |
+ |
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
+
Multigrain POS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos |
+
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html |
+
https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/ |
+
murkytop is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop |
+
+ |
Murofet is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet |
+
Mutabaha is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha |
+
+ |
MyKings Spreader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader |
+
+ |
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/ |
+
MyloBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot |
+
+ |
N40 is also known as:
+Links |
+
+ |
+ |
Nabucur is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur |
+
Nagini is also known as:
+Links |
+
+ |
http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/ |
+
Naikon is also known as:
+Links |
+
+ |
+ |
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
+
Nanocore RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore |
+
+ |
https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/ |
+
+ |
NanoLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker |
+
Narilam is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam |
+
http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html |
+
https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage |
+
Nautilus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus |
+
+ |
NavRAT is also known as:
+Links |
+
+ |
+ |
Necurs is also known as:
Sakurel
+nucurs
Links |
|
+ | |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99 |
+|
https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula |
+https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features |
+ | http://blog.talosintelligence.com/2017/03/necurs-diversifies.html |
+
https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf |
+|
+ | |
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/ |
+|
+ | |
https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/ |
+|
https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/ |
Unidentified 033 is also known as:
-Links |
-
WSO is also known as:
+Nemim is also known as:
Webshell by Orb
+Nemain
Links |
|
+ | |
+ | https://securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf |
Bahamut is also known as:
+NetC is also known as:
Links |
|
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/ |
+|
+ |
Freenki Loader is also known as:
+NETEAGLE is also known as:
+ScoutEagle
+Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle |
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html |
+
KokoKrypt is also known as:
+Netrepser is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger |
+
https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/ |
+
NetSupportManager RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat |
+
+ |
+ |
https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/ |
+
NetTraveler is also known as:
+TravNet
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler |
+
https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests |
+
https://cdn.securelist.com/files/2014/07/kaspersky-the-net-traveler-part1-final.pdf |
+
Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.
+Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:
+for i in range(0,num_read): + buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF+
NetWire RC is also known as:
+Recam
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire |
+
+ |
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ |
+
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data |
+
+ |
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html |
+
Neuron is also known as:
+Links |
+
+ |
+ |
Neutrino is also known as:
+Kasidet
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino |
+
+ |
http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html |
+
https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/ |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/ |
+
+ |
https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex |
+
https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/ |
+
https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/ |
+
Neutrino POS is also known as:
+Jimmy
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos |
+
https://securelist.com/neutrino-modification-for-pos-terminals/78839/ |
+
https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/ |
+
NewCore RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat |
+
+ |
NewPosThings is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings |
+
https://asert.arbornetworks.com/lets-talk-about-newposthings/ |
+
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html |
+
https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/ |
+
http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/ |
+
NewsReels is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels |
+
+ |
NewCT is also known as:
+CT
+Links |
+
+ |
+ |
Nexster Bot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot |
+
+ |
NexusLogger is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger |
+
https://twitter.com/PhysicalDrive0/status/842853292124360706 |
+
+ |
Ngioweb is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb |
+
https://research.checkpoint.com/ramnits-network-proxy-servers/ |
+
nitlove is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove |
+
https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html |
+
Nitol is also known as:
+Links |
+
+ |
+ |
RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."
+It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
+NjRAT is also known as:
+Bladabindi
+Links |
+
+ |
+ |
http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf |
+
http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf |
+
+ |
+ |
Nocturnal Stealer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer |
+
https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap |
+
Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.
+Nokki is also known as:
+Links |
+
+ |
+ |
+ |
Nozelesn (Decryptor) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor |
+
nRansom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom |
+
https://twitter.com/malwrhunterteam/status/910952333084971008 |
+
https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin |
+
https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/ |
+
Nymaim is also known as:
+nymain
+Links |
+
+ |
+ |
https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/ |
+
https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf |
+
+ |
Nymaim2 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2 |
+
https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/ |
+
OddJob is also known as:
+Links |
+
+ |
Odinaff is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff |
+
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks |
Olympic Destroyer is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer |
+
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html |
StegoLoader is also known as:
+OneKeyLocker is also known as:
Links |
|
https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.onekeylocker |
+
https://twitter.com/malwrhunterteam/status/1001461507513880576 |
FlawedAmmyy is also known as:
+ONHAT is also known as:
Links |
|
+ | |
- | |
+ | https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview |
Rikamanu is also known as:
+OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.
+OnionDuke is also known as:
Links |
|
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke |
+
http://contagiodump.blogspot.com/2014/11/onionduke-samples.html |
+|
Ghost RAT is also known as:
+A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.
+OnlinerSpambot is also known as:
PCRat
+SBot
Gh0st RAT
+Onliner
Links |
|
https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner |
http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf |
-|
- | |
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
-|
http://www.malware-traffic-analysis.net/2018/01/04/index.html |
-|
- | |
+ | https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html |
Unidentified 039 is also known as:
+OopsIE is also known as:
Links |
+ |
+ |
+ |
CabArt is also known as:
+Opachki is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki |
+
http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html |
+
http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html |
+
https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519 |
+
+ |
OpGhoul is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul |
+
+ |
OpBlockBuster is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster |
+
http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/ |
+
OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.
+OrcaRAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat |
+
http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html |
+
Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.
+Orcus RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat |
+
+ |
https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/ |
+
+ |
https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors |
+
Ordinypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt |
+
+ |
+ |
Overlay RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat |
+
+ |
https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking |
+
OvidiyStealer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer |
+
+ |
owaauth is also known as:
+luckyowa
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth |
+
https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/ |
+
PadCrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt |
+
+ |
+ |
Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.
+paladin is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin |
+
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf |
+
https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html |
+
According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.
+This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.
+The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.
+Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.
+PandaBanker is also known as:
+ZeusPanda
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker |
+
https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker |
+
https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ |
+
+ |
https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market |
+
+ |
https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/ |
+
+ |
https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html |
+
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html |
+
https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks |
+
https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/ |
+
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf |
+
https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/ |
+
http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html |
+
https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ |
+
parasite_http is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http |
+
https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks |
+
PetrWrap is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap |
+
+ |
+ |
Petya is also known as:
+Links |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ |
+
https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/ |
+
https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/ |
+
+ |
+ |
Information gathering and downloading tool used to deliver second stage malware to the infected system
+pgift is also known as:
+ReRol
+Links |
+
+ |
+ |
Philadephia Ransom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom |
+
https://blogs.forcepoint.com/security-labs/shelf-ransomware-used-target-healthcare-sector |
+
https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html |
+
+ |
https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/ |
+
+ |
Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.
+Phorpiex is also known as:
+Trik
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex |
+
+ |
+ |
https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows |
+
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/ |
+
pipcreat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat |
+
+ |
pirpi is also known as:
+Links |
+
+ |
+ |
Pitou is also known as:
+Links |
+
+ |
+ |
https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf |
+
PittyTiger RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat |
+
+ |
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf |
+
Links |
+ |
Kitmos is also known as:
+PLAINTEE is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee |
+
+ |
playwork is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork |
+
https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html |
+
PLEAD is also known as:
KitM
+TSCookie
Links |
|
+ | + |
+ | |
+ | |
+ | |
+ | |
https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html |
+|
Dimnie is also known as:
+Plexor is also known as:
Links |
|
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/ |
++ |
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/ |
+|
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7 |
RatabankaPOS is also known as:
+Ploutus ATM is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm |
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
+https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html |
+
http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html |
Rex is also known as:
+ployx is also known as:
Links |
|
https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/ |
+|
https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/ |
+https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html |
+
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojPloyx-A/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TrojPloyx-A/detailed-analysis.aspx] |
BlackShades is also known as:
+RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.
Links |
-
https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/ |
-
https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/ |
-
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html |
-
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/ |
-
MyKings Spreader is also known as:
+Notable features of this malware family are the ability to execute commands on the affected machine to retrieve: +machine information +capture the screen +send keyboard and mouse events +keylogging +reboot the system +manage processes (create, kill and enumerate) +manage services (create, start, stop, etc.); and +manage Windows registry entries, open a shell, etc.
Links |
-
- |
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/ |
-
Rapid Ransom is also known as:
+The malware also logs its events in a text log file.
Links |
-
https://twitter.com/malwrhunterteam/status/997748495888076800 |
-
https://twitter.com/malwrhunterteam/status/977275481765613569 |
-
Mirai is also known as:
-Links |
-
https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/ |
-
https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html |
-
https://twitter.com/PhysicalDrive0/status/830070569202749440 |
-
SyncCrypt is also known as:
-Links |
-
- |
WebC2-Ausov is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
WebC2-Cson is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Gazer is also known as:
+PlugX is also known as:
WhiteBear
+Korplug
Links |
|
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/ |
+|
+ | https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf |
+ | https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf |
+ | http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html |
+
+ | |
+ | |
http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html |
+|
+ | |
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
+|
https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf |
+|
https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/ |
+|
https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/ |
+|
https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/ |
+|
+ | |
https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/ |
+|
https://securelist.com/time-of-death-connected-medicine/84315/ |
+|
r2r2 is also known as:
+pngdowner is also known as:
Links |
|
https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner |
Ztorg is also known as:
-Qysly
-Links |
-
http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2 |
-
https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1 |
-
- |
Bashlite is also known as:
-lizkebab
-qbot
-torlus
-Gafgyt
-gayfgt
-Links |
-
- |
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
-
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ |
-
smac is also known as:
-speccom
-Links |
-
- |
Delta(Alfa,Bravo, …) is also known as:
-Links |
-
https://www.arbornetworks.com/blog/asert/pivoting-off-hidden-cobra-indicators/ |
-
Biscuit is also known as:
-zxdosml
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Unidentified 024 (Ransomware) is also known as:
-Links |
-
https://twitter.com/malwrhunterteam/status/789161704106127360 |
-
Venus Locker is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/813690129088937984 |
-
JQJSNICKER is also known as:
-Links |
-
- |
APT3 Keylogger is also known as:
-Links |
-
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/ |
-
- |
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong |
-
Charger is also known as:
-Links |
-
- |
http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html |
-
Unidentified APK 001 is also known as:
-Links |
-
- |
Polyglot is also known as:
-Links |
-
https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/ |
-
Ebury is also known as:
-Links |
-
http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ |
-
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ |
-
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/ |
-
https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy |
-
https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf |
-
DeputyDog is also known as:
-Links |
-
- |
EHDevel is also known as:
-Links |
-
- |
RCS is also known as:
-Remote Control System
-Crisis
-Links |
-
https://www.f-secure.com/documents/996508/1030745/callisto-group |
-
https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/ |
-
CryptoShuffler is also known as:
-Links |
-
- |
Red Alert is also known as:
-Links |
-
https://twitter.com/JaromirHorejsi/status/816237293073797121 |
-
Opachki is also known as:
-Links |
-
- |
https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519 |
-
http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html |
-
http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html |
-
Corebot is also known as:
-Links |
-
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/ |
-
- |
http://blog.deepinstinct.com/2017/11/08/a-deeper-dive-into-corebots-comeback/ |
-
General purpose backdoor
-systemd is also known as:
-Links |
-
- |
Slempo is also known as:
-SlemBunk
-Links |
-
https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html |
-
- |
DownPaper is also known as:
-Links |
-
- |
MobiRAT is also known as:
-Links |
-
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/ |
-
Hajime is also known as:
-Links |
-
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf |
-
https://honeynet.org/sites/default/files/Bots_Keep_Talking_To_Us.pdf |
-
- |
- |
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things |
-
https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461 |
-
https://blog.netlab.360.com/quick-summary-port-8291-scan-en/ |
-
- |
DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.
-DarkShell is also known as:
-Links |
-
- |
murkytop is also known as:
-Links |
-
- |
KevDroid is also known as:
-Links |
-
https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/ |
-
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html |
-
Powmet is also known as:
-Links |
-
- |
MILKMAID is also known as:
-Links |
-
- |
OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term." -According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method." -IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."
-Dridex is also known as:
-Links |
-
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/ |
-
https://blogs.it.ox.ac.uk/oxcert/2015/11/09/major-dridex-banking-malware-outbreak/ |
-
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/ |
-
- |
https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps |
-
https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/ |
-
- |
https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/ |
-
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/ |
-
NewsReels is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Unidentified 041 is also known as:
-Links |
-
Ramnit is also known as:
-Nimnul
-Links |
-
https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/ |
-
http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html |
-
http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html |
-
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ |
-
http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html |
-
- |
Zyklon is also known as:
-Links |
-
- |
Gratem is also known as:
-Links |
-
https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigboss-and-sillygoose |
-
GoldDragon is also known as:
-Links |
-
- |
Fake Pornhub is also known as:
-Links |
-
Herbst is also known as:
-Links |
-
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware |
-
TeleBot is also known as:
-Links |
-
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
-
Linux DDoS C&C Malware
-XOR DDoS is also known as:
-Links |
-
https://www.cdnetworks.com/resources/whitepapers/sg/Whitepaper23.pdf |
-
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html |
-
- |
Coinminer is also known as:
-Links |
-
https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/ |
-
- |
Apocalypse is also known as:
-Links |
-
- |
Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes "q=[ENCRYPTED DATA]" in the URI.
-Kwampirs is also known as:
-Links |
-
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia |
-
Downeks is also known as:
-Links |
-
- |
Tarsip is also known as:
-Links |
-
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
-
Lyposit is also known as:
-Lucky Locker
-Adneukine
-Bomba Locker
-Links |
-|
http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html |
-|
https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/ |
-|
http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html |
+https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31 |
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy |
+
SAGE is also known as:
+Polyglot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom |
+
https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/ |
+
Pony is also known as:
Saga
+Siplog
+Fareit
Links |
|
+ | |
https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga |
+https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf |
+ | https://www.uperesia.com/analysis-of-a-packed-pony-downloader |
https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/ |
+
Remsec is also known as:
+PoohMilk Loader is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk |
+
+ | |
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html |
Alma Communicator is also known as:
+Popcorn Time is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time |
+
https://twitter.com/malwrhunterteam/status/806595092177965058 |
A spambot that has been observed being used for spreading Ursninf, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.
-OnlinerSpambot is also known as:
-SBot
-Onliner
-portless is also known as:
Links |
|
https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.portless |
+
Shakti is also known as:
+poscardstealer is also known as:
Links |
|
https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer |
https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/ |
+
TabMsgSQL is also known as:
+Poweliks Dropper is also known as:
Links |
|
https://www.scribd.com/document/349629589/Appendix-C-Digital-The-Malware-Arsenal-pdf |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks_dropper |
+
https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users |
Hermes is also known as:
+PowerDuke is also known as:
Links |
|
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke |
+
CherryPicker POS is also known as:
-cherrypicker
-cherrypickerpos
-cherry_picker
-PowerPool is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool |
+ | https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/ |
Ranscam is also known as:
+Powersniff is also known as:
Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff |
+
ComodoSec is also known as:
+PowerRatankba is also known as:
Links |
https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt |
-
Wirenet is also known as:
-Links |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba |
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html |
+https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/ |
- |
Narilam is also known as:
-Links |
+|
http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html |
-|
https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage |
-
Skygofree is also known as:
-Links |
-
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ |
-
https://cdn.securelist.com/files/2018/01/Skygofree_appendix_eng.pdf |
-
MPKBot is also known as:
-Links |
-|
- | |
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
+https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
prb_backdoor is also known as:
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor |
+
https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html |
Petya is also known as:
+Prikorma is also known as:
Links |
|
https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka |
https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/ |
-|
- | |
- | |
https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ |
+https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf |
OnionDuke is also known as:
+Prilex is also known as:
Links |
|
+ | |
http://contagiodump.blogspot.com/2014/11/onionduke-samples.html |
++ |
+ |
PrincessLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker |
+
https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/ |
+
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/ |
+
+ |
According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.
+In binaries, apart from BotModule and MainModule, references to the following Modules have be observed: +BrowserModule +BTCModule +ComplexModule +KeyLoggerModule +OutlookModule +ProcessModule +RansomwareModule +SkypeModule
+PsiX is also known as:
+Links |
+
+ |
+ |
Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.
+PC Surveillance System is also known as:
+PSS
+Links |
+
+ |
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/ |
+
Pteranodon is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon |
+
https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/ |
+
PubNubRAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat |
+
+ |
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html |
+
Punkey POS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos |
+
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/ |
+
https://www.pandasecurity.com/mediacenter/malware/punkeypos/ |
+
pupy is also known as:
+Links |
+
+ |
+ |
+ |
+ |
https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations |
+
Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.
+Pushdo is also known as:
+Links |
+
+ |
+ |
+ |
+ |
https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/ |
+
Putabmow is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow |
+
PvzOut is also known as:
+Links |
+
+ |
+ |
pwnpos is also known as:
+Links |
+
+ |
+ |
https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html |
+
https://twitter.com/physicaldrive0/status/573109512145649664 |
+
Pykspa is also known as:
+Links |
+
+ |
+ |
https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/ |
+
+ |
PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.
+PyLocky is also known as:
+Locky Locker
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky |
+
https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/ |
+
+ |
+ |
Qaccel is also known as:
+Links |
+
+ |
Qadars is also known as:
+Links |
+
+ |
https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan |
+
+ |
https://securityintelligence.com/an-analysis-of-the-qadars-trojan/ |
+
https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/ |
+
+ |
https://pages.phishlabs.com/rs/130-BFB-942/images/Qadars%20-%20Final.pdf |
+
QakBot is also known as:
+Qbot
+Pinkslipbot
+Links |
+
+ |
+ |
https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html |
+
https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf |
+
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/ |
+
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf |
+
+ |
+ |
https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html |
+
QHost is also known as:
+Tolouge
+Links |
+
+ |
QtBot is also known as:
+qtproject
+Links |
+
+ |
+ |
Quant Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.quant_loader |
+
+ |
+ |
https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/ |
+
+ |
+ |
Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
+Quasar RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat |
+
+ |
+ |
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
+
+ |
https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/ |
+
https://twitter.com/malwrhunterteam/status/789153556255342596 |
+
+ |
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ |
+
https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/ |
+
+ |
r980 is also known as:
+Links |
+
+ |
+ |
Radamant is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant |
+
https://www.cyphort.com/radamant-ransomware-distributed-via-rig-ek/ |
+
RadRAT is also known as:
+Links |
+
+ |
https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/ |
+
Rambo is also known as:
+brebsd
+Links |
+
+ |
https://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor |
+
Ramnit is also known as:
+Nimnul
+Links |
+
+ |
https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/ |
+
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ |
+
http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html |
+
+ |
http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html |
+
http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html |
+
https://research.checkpoint.com/ramnits-network-proxy-servers/ |
+
Ranbyus is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus |
+
+ |
+ |
https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/ |
+
https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/ |
+
Ranscam is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam |
+
+ |
Ransoc is also known as:
+Links |
+
+ |
+ |
Ransomlock is also known as:
+WinLock
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock |
+
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2 |
+
+ |
Rapid Ransom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom |
+
https://twitter.com/malwrhunterteam/status/977275481765613569 |
+
https://twitter.com/malwrhunterteam/status/997748495888076800 |
+
RapidStealer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer |
+
http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html |
+
rarstar is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar |
+
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses |
+
RatabankaPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ratabankapos |
+
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf |
+
+ |
RawPOS is also known as:
+Links |
+
+ |
https://threatvector.cylance.com/en_us/home/rawpos-malware.html |
+
+ |
RCS is also known as:
+Remote Control System
+Crisis
+Links |
+
+ |
https://www.f-secure.com/documents/996508/1030745/callisto-group |
+
https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/ |
+
rdasrv is also known as:
+Links |
+
+ |
https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf |
+
Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.
+ReactorBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot |
+
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html |
+
http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html |
+
+ |
https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under |
+
Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.
+Reaver is also known as:
+Links |
+
+ |
+ |
RedAlpha is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha |
+
+ |
RedLeaves is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves |
+
+ |
https://www.accenture.com/t20180423T055005Zw/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf[https://www.accenture.com/t20180423T055005Zw/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf] |
+
http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html |
+
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
+
https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves |
+
+ |
Red Alert is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert |
+
https://twitter.com/JaromirHorejsi/status/816237293073797121 |
+
Red Gambler is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler |
+
http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf |
+
reGeorg is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg |
+
+ |
+ |
Regin is also known as:
+Links |
+
+ |
+ |
Remcos is also known as:
+Links |
+
+ |
https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html |
+
+ |
+ |
https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2 |
+
https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/ |
+
+ |
https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/ |
+
+ |
Remexi is also known as:
+Links |
+
+ |
+ |
https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions |
+
Remsec is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider |
+
+ |
Rerdom is also known as:
+Links |
+
+ |
+ |
Retadup is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup |
+
+ |
Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It’s primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.
+Retefe is also known as:
+Tsukuba
+Werdlod
+Links |
+
+ |
+ |
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/ |
+
+ |
+ |
Revenge RAT is also known as:
+Revetrat
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat |
+
http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/ |
+
+ |
+ |
RGDoor is also known as:
+Links |
+
+ |
+ |
+ |
Rikamanu is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu |
+
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
+
Rincux is also known as:
+Links |
+
+ |
Ripper ATM is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm |
+
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/ |
+
rock is also known as:
+yellowalbatross
+Links |
+
+ |
https://github.com/securitykitten/malware_references/blob/master/rmshixdAPT-C-15-20160630.pdf |
+
Rockloader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader |
+
+ |
RokRAT is also known as:
+Links |
+
+ |
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html |
+
+ |
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html |
+
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html |
+
https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/ |
+
+ |
Rombertik is also known as:
+CarbonGrabber
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik |
+
+ |
Romeo(Alfa,Bravo, …) is also known as:
+Links |
+
+ |
Roopirs is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs |
+
Roseam is also known as:
+Links |
+
+ |
+ |
Rover is also known as:
+Links |
+
+ |
BkLoader
+Mayachok
Cidox
Mayachok
+BkLoader
Links |
+
+ |
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/ |
+
+ |
+ |
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/ |
+
https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/ |
+
+ |
http://www.malwaretech.com/2014/05/rovnix-new-evolution.html |
+
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf |
+
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html |
+
RoyalCli is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli |
+
+ |
+ |
Royal DNS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns |
+
+ |
+ |
Rozena is also known as:
+Links |
+
+ |
https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena |
+
RTM is also known as:
+Links |
+
+ |
https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf |
+
rtpos is also known as:
+Links |
+
+ |
https://boozallenmts.com/resources/news/rtpos-new-point-sale-malware-family-uncovered |
+
Ruckguv is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv |
+
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear |
+
Rumish is also known as:
+Links |
+
+ |
running_rat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat |
+
+ |
Rurktar is also known as:
+RCSU
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar |
+
https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction |
+
Rustock is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock |
+
+ |
http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html |
+
https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html |
+
http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html |
+
http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/ |
+
http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf |
+
+ |
https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/ |
+
SAGE is also known as:
+Saga
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom |
+
+ |
https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga |
+
https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/ |
+
+ |
Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.
+Sakula RAT is also known as:
+Sakurel
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat |
+
+ |
https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula |
+
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99 |
+
+ |
Salgorea is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea |
+
https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf |
+
Sality is also known as:
+Links |
+
+ |
+ |
SamSam is also known as:
+Links |
+
+ |
+ |
+ |
+ |
http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html |
+
https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/ |
+
Sanny is also known as:
+Daws
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html |
+
Sarhust is also known as:
+Hussarini
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust |
+
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a |
+
+ |
Satan Ransomware is also known as:
+Links |
+
+ |
https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread |
+
+ |
https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html |
+
Satana is also known as:
+Links |
+
+ |
+ |
Sathurbot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot |
+
https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/ |
+
ScanPOS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos |
+
+ |
https://www.morphick.com/resources/news/scanpos-new-pos-malware-being-distributed-kronos |
+
Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.
+Schneiken is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken |
+
https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb |
+
+ |
Scote is also known as:
+Links |
+
+ |
+ |
ScreenLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker |
+
+ |
SeaDaddy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
+
SeaSalt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt |
+
+ |
SeDll is also known as:
+Links |
+
+ |
+ |
+ |
Sedreco is also known as:
+azzy
+eviltoss
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
+
+ |
+ |
Seduploader is also known as:
+jhuhugit
+jkeyskw
+downrage
+carberplike
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf |
+
+ |
https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/ |
+
http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/ |
+
+ |
+ |
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html |
+
+ |
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
+
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/ |
+
SendSafe is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe |
+
Serpico is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico |
+
ShadowPad is also known as:
+XShellGhost
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad |
+
https://securelist.com/shadowpad-in-corporate-networks/81432/ |
+
https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf |
+
http://www.dailysecu.com/?mod=bbs&act=download&bbs_id=bbs_10&upload_idxno=4070 |
+
Shakti is also known as:
+Links |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/ |
+
https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/ |
+
SHAPESHIFT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift |
+
+ |
shareip is also known as:
+remotecmd
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip |
+
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong |
+
SHARPKNOT is also known as:
+Bitrep
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot |
+
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf |
+
+ |
ShellLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker |
+
https://twitter.com/JaromirHorejsi/status/813726714228604928 |
+
Shifu is also known as:
+Links |
+
+ |
http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/ |
+
Shim RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat |
+
https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf |
+
Shujin is also known as:
+Links |
+
+ |
+ |
+ |
Shurl0ckr is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr |
+
+ |
Shylock is also known as:
+Caphaw
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock |
+
+ |
https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/ |
+
https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware |
+
https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw |
+
http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html |
+
https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/ |
+
win.sidewinder is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder |
+
+ |
+ |
Sierra(Alfa,Bravo, …) is also known as:
+Destover
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras |
+
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
+
+ |
Siggen6 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6 |
+
Silence is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.silence |
+
+ |
+ |
https://www.group-ib.com/resources/threat-research/silence.html |
+
Silon is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html |
+
http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm |
+
Siluhdur is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur |
+
Simda is also known as:
+iBank
+Links |
+
+ |
+ |
Sinowal is also known as:
+Theola
+Quarian
+Mebroot
+Anserin
+Torpig
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal |
+
+ |
https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2 |
+
https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/ |
+
https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan |
+
Sisfader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader |
+
+ |
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4 |
+
Skarab Ransom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.skarab_ransom |
+
+ |
Skyplex is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex |
+
Slave is also known as:
+Links |
+
+ |
https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/ |
+
2012 first sighted
+Attack vector via compromised Microtik routers where victim’s got infection when they connect to Microtik router admin software - Winbox
+2018 when discovered by Kaspersky Team
+Infection Vector +- Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer
+Slingshot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot |
+
+ |
+ |
https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/ |
+
smac is also known as:
+speccom
+Links |
+
+ |
+ |
The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
+SmokeLoader is also known as:
+Dofoil
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader |
+
+ |
https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo |
+
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html |
+
+ |
+ |
+ |
+ |
+ |
+ |
+ |
https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/ |
+
+ |
Smominru is also known as:
+Ismo
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru |
+
+ |
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/ |
+
A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.
+SnatchLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader |
+
https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/ |
+
+ |
https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/ |
+
https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/ |
+
SNEEPY is also known as:
+ByeByeShell
+Links |
+
+ |
+ |
Snifula is also known as:
+Ursnif
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula |
+
https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf |
+
Snojan is also known as:
+Links |
+
+ |
+ |
SNS Locker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker |
+
According to ESET, this RAT was derived from (the open-source) Quasar RAT.
+Sobaken is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken |
+
https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/ |
+
Socks5 Systemz is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz |
+
SocksBot is also known as:
+BIRDDOG
+Nadrac
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot |
+
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf |
+
https://www.accenture.com/t00010101T000000Zw/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf[https://www.accenture.com/t00010101T000000Zw/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf] |
+
+ |
Solarbot is also known as:
+Napolar
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot |
+
https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/ |
+
+ |
soraya is also known as:
+Links |
+
+ |
+ |
https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/ |
+
Sorgu is also known as:
+Links |
+
+ |
https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east |
+
SOUNDBITE is also known as:
+denis
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite |
+
+ |
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html |
+
Spedear is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear |
+
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
+
Spora is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom |
+
+ |
+ |
https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas |
+
https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/ |
+
https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/ |
+
https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware |
+
SpyBot is also known as:
+Links |
+
+ |
===
+is also known as:+
Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.spynet_rat |
+
SquirtDanger is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger |
+
+ |
SslMM is also known as:
+Links |
+
+ |
+ |
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
+
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
+
Stabuniq is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq |
+
http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html |
+
https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers |
+
Stampedo is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo |
+
+ |
StarCruft is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft |
+
+ |
StarLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader |
+
+ |
StarsyPound is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound |
+
+ |
StegoLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader |
+
https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer |
+
Stinger is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger |
+
Stration is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stration |
+
Stresspaint is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint |
+
https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/ |
+
+ |
+ |
+ |
StrongPity is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity |
+
+ |
https://twitter.com/physicaldrive0/status/786293008278970368 |
+
https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/ |
+
+ |
Stuxnet is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet |
+
http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html |
+
SunOrcal is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal |
+
+ |
http://pwc.blogs.com/cyber_security_updates/2016/03/index.html |
+
SuppoBox is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox |
+
Swift? is also known as:
+Links |
+
+ |
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/ |
+
Sword is also known as:
+Links |
+
+ |
+ |
sykipot is also known as:
+getkys
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot |
+
+ |
+ |
https://www.alienvault.com/blogs/labs-research/sykipot-is-back |
+
+ |
SynAck is also known as:
+Links |
+
+ |
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/ |
+
SyncCrypt is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt |
+
+ |
SynFlooder is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder |
+
+ |
Synth Loader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader |
+
Sys10 is also known as:
+Links |
+
+ |
+ |
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
+
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
+
Syscon is also known as:
+Links |
+
+ |
http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/ |
+
+ |
SysGet is also known as:
+Links |
+
+ |
+ |
SysScan is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan |
+
Szribi is also known as:
+Links |
+
+ |
+ |
+ |
https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel |
+
TabMsgSQL is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql |
+
+ |
taidoor is also known as:
+simbot
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor |
+
https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html |
+
+ |
http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html |
+
Taleret is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret |
+
https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html |
+
http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html |
+
Tandfuy is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy |
+
Tapaoux is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux |
+
+ |
Tarsip is also known as:
+Links |
+
+ |
+ |
tDiscoverer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer |
+
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf |
+
TDTESS is also known as:
+Links |
+
+ |
+ |
TeleBot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot |
+
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
+
TeleDoor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor |
+
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/ |
+
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html |
+
Tempedreve is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve |
+
Terminator RAT is also known as:
+Fakem RAT
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat |
+
https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf |
+
https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf |
+
+ |
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html |
+
TeslaCrypt is also known as:
+cryptesla
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt |
+
+ |
https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/ |
+
https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla |
+
+ |
https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/ |
+
https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf |
+
+ |
+ |
Thanatos is also known as:
+Alphabot
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos |
+
+ |
Thanatos Ransomware is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom |
+
+ |
+ |
https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html |
+
ThreeByte is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte |
+
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html |
+
ThumbThief is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief |
+
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/ |
+
Thunker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker |
+
Tidepool is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool |
+
+ |
+ |
Tinba is also known as:
+Zusy
+TinyBanker
+Illi
+Links |
+
+ |
http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/ |
+
+ |
https://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/ |
+
+ |
https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/ |
+
https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant |
+
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html |
+
https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/ |
+
+ |
http://www.theregister.co.uk/2012/06/04/small_banking_trojan/ |
+
TinyLoader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader |
+
https://www.fidelissecurity.com/threatgeek/2017/07/deconstructing-tinyloader-0 |
+
TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.
+TinyNuke is also known as:
+NukeBot
+Nuclear Bot
+MicroBankingTrojan
+Xbot
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke |
+
+ |
+ |
https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet |
+
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html |
+
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/ |
+
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/ |
+
https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/ |
+
+ |
TinyTyphon is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon |
+
+ |
TinyZbot is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot |
+
+ |
Tofsee is also known as:
+Gheg
+Links |
+
+ |
https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/ |
+
+ |
https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/ |
+
TorrentLocker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker |
+
+ |
+ |
TreasureHunter is also known as:
+huntpos
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter |
+
+ |
https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/ |
+
https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html |
+
A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.
+Q4 2016 - Detected in wild +Oct 2016 - 1st Report +Jan 2018 - Use XMRIG (Monero) miner +Feb 2018 - Theft Bitcoin +Mar 2018 - Unfinished ransomware module
+Infection Vector +1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot +2. Phish > Attached MS Office > Marco Enabled > Downloader > Trickbot +3. Phish > Attached MS Office > Marco enabled > Trickbot installed
+TrickBot is also known as:
+Trickster
+TheTrick
+TrickLoader
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot |
+
+ |
+ |
http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html |
+
https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre |
+
https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/ |
+
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ |
+
+ |
https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/ |
+
+ |
http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html |
+
+ |
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader |
+
+ |
https://blog.fraudwatchinternational.com/malware/trickbot-malware-works |
+
https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/ |
+
+ |
+ |
https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot |
+
https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html |
+
https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/ |
+
https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf |
+
+ |
http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot |
+
+ |
http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html |
+
https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/ |
+
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html |
+
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-3-core |
+
https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html |
+
+ |
https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html |
+
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html |
+
+ |
https://qmemcpy.github.io/post/reverse-engineering-malware-trickbot-part-1-packer |
+
https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf |
+
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/ |
+
Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.
+win.triton is also known as:
+Trisis
+HatMan
+Links |
+
+ |
+ |
+ |
+ |
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware |
+
+ |
Trochilus RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat |
+
+ |
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
+
+ |
Troldesh is also known as:
+Shade
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh |
+
+ |
https://securelist.com/the-shade-encryptor-a-double-threat/72087/ |
+
Trump Ransom is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom |
+
Tsifiri is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri |
+
TURNEDUP is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup |
+
+ |
Tyupkin is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin |
+
+ |
A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.
+UACMe is also known as:
+Akagi
+Links |
+
+ |
+ |
UDPoS is also known as:
+Links |
+
+ |
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns |
+
https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html |
+
Uiwix is also known as:
+Links |
+
+ |
https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue |
+
Unidentified 001 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001 |
+
Unidentified 003 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003 |
+
===
+is also known as:+
Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_005 |
+
Unidentified 006 is also known as:
+Links |
|
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006 |
+
Unidentified 013 (Korean) is also known as:
+Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware |
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf |
+http://blog.talosintelligence.com/2017/02/korean-maldoc.html |
+
Unidentified 020 (Vault7) is also known as:
+Links |
|
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7 |
+ | + |
Unidentified 022 (Ransom) is also known as:
+Links |
|
http://www.malwaretech.com/2014/05/rovnix-new-evolution.html |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom |
+
Unidentified 023 is also known as:
+Links |
|
https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/ |
+https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023 |
+
Unidentified 024 (Ransomware) is also known as:
+Links |
|
+ | https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom |
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html |
+https://twitter.com/malwrhunterteam/status/789161704106127360 |
+
Unidentified 025 (Clickfraud) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud |
+
+ |
Unidentified 028 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028 |
+
Unidentified 029 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029 |
+
Filecoder is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030 |
+
https://twitter.com/JaromirHorejsi/status/877811773826641920 |
+
Unidentified 031 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031 |
+
Unidentified 032 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_032 |
+
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/ |
+
Unidentified 033 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_033 |
+
Unidentified 034 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_034 |
+
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/ |
+
Unidentified 035 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_035 |
+
Unidentified 037 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037 |
+
Unidentified 038 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038 |
+
Unidentified 039 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039 |
+
Unidentified 041 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041 |
+
Unidentified 042 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042 |
+
http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/ |
+
Unidentified 044 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044 |
+
Unidentified 045 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045 |
+
Unidentified 046 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_046 |
+
+ |
RAT written in Delphi used by Patchwork APT.
+Unidentified 047 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047 |
+
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ |
+
Unidentified 048 (Lazarus?) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_048 |
+
+ |
Unidentified 049 (Lazarus/RAT) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_049 |
+
https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/ |
+
Unidentified 051 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_051 |
+
+ |
Unidentified 052 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052 |
+
Unidentified 053 (Wonknu?) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053 |
+
https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/ |
+
Unlock92 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92 |
+
+ |
+ |
UPAS is also known as:
+Rombrast
+Links |
+
+ |
https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/ |
+
https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html |
+
+ |
Upatre is also known as:
+Links |
+
+ |
https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/ |
+
+ |
+ |
Urausy is also known as:
+Links |
+
+ |
UrlZone is also known as:
+Bebloh
+Shiotob
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone |
+
+ |
https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html |
+
https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/ |
+
+ |
https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan |
+
https://www.arbornetworks.com/blog/asert/an-update-on-the-urlzone-banker/ |
+
https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/ |
+
Uroburos is also known as:
+Snake
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos |
+
Vawtrak is also known as:
+Catch
+grabnew
+NeverQuest
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak |
+
https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/ |
+
https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf |
+
+ |
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak |
+
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/ |
+
Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension.
+Velso Ransomware is also known as:
+Links |
+
+ |
+ |
Venus Locker is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker |
+
https://twitter.com/JaromirHorejsi/status/813690129088937984 |
+
Vermin is also known as:
+Links |
+
+ |
+ |
https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/ |
+
Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.
+Vflooder is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder |
+
https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/ |
+
virdetdoor is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor |
+
https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks |
+
Virut is also known as:
+Links |
+
+ |
https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/ |
+
+ |
VM Zeus is also known as:
+VMzeus
+ZeusVM
+Zberp
+Links |
+
+ |
+ |
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/ |
+
https://asert.arbornetworks.com/wp-content/uploads/2015/08/ZeusVM_Bits_and_Pieces.pdf |
+
Vobfus is also known as:
+Links |
+
+ |
http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html |
+
https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/ |
+
Volgmer is also known as:
+FALLCHILL
+Manuscrypt
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer |
+
+ |
Vreikstadi is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi |
+
https://twitter.com/malware_traffic/status/821483557990318080 |
+
vSkimmer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer |
+
http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis |
+
+ |
+ |
w32times is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times |
+
+ |
WannaCryptor is also known as:
+Wcry
+WannaCry
+Wana Decrypt0r
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor |
+
+ |
+ |
https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/ |
+
https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign |
+
+ |
http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ |
+
https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58 |
+
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html |
+
https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e |
+
https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html |
+
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 |
+
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/ |
+
https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d |
+
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group |
+
https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/ |
+
+ |
WaterMiner is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer |
+
https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner |
+
WaterSpout is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout |
+
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html |
+
WebC2-AdSpace is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace |
+
+ |
WebC2-Ausov is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov |
+
+ |
WebC2-Bolid is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid |
+
+ |
WebC2-Cson is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson |
+
+ |
WebC2-DIV is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div |
+
+ |
WebC2-GreenCat is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat |
+
+ |
WebC2-Head is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head |
+
+ |
WebC2-Kt3 is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3 |
+
+ |
WebC2-Qbp is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp |
+
+ |
WebC2-Rave is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave |
+
+ |
WebC2-Table is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table |
+
+ |
WebC2-UGX is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx |
+
+ |
WebC2-Yahoo is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo |
+
+ |
WebMonitor RAT is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor |
+
+ |
WellMess is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess |
+
+ |
WildFire is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire |
+
https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/ |
+
WinMM is also known as:
+Links |
+
+ |
+ |
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
+
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
+
Winnti is also known as:
+Links |
+
+ |
http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/ |
+
+ |
https://www.protectwise.com/blog/winnti-evolution-going-open-source.html |
+
+ |
+ |
+ |
Winsloader is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader |
+
+ |
Wipbot is also known as:
+Links |
+
+ |
+ |
WMI Ghost is also known as:
+Wimmie
+Syndicasec
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost |
+
+ |
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets |
+
WndTest is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest |
+
+ |
Wonknu is also known as:
+Links |
+
+ |
https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summit/ |
+
woody is also known as:
+Links |
+
+ |
+ |
Woolger is also known as:
+WoolenLogger
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger |
+
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf |
+
http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf |
+
X-Agent is also known as:
+splm
+chopstick
+Links |
+
+ |
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/ |
+
+ |
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
+
http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf |
+
XBot POS is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos |
+
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html |
+
Xpan is also known as:
+Links |
+
+ |
https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/ |
+
https://securelist.com/blog/research/78110/xpan-i-am-your-father/ |
+
Incorporates code of Quasar RAT.
+XPCTRA is also known as:
+Expectra
+Links |
+
+ |
+ |
https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis |
+
XP PrivEsc (CVE-2014-4076) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc |
+
+ |
xsPlus is also known as:
+nokian
+Links |
+
+ |
+ |
https://securelist.com/analysis/publications/69953/the-naikon-apt/ |
+
https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf |
+
X-Tunnel is also known as:
+xaps
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel |
+
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html |
+
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
+
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf |
+
https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/ |
+
https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf |
+
https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf |
+
+ |
+ |
xxmm is also known as:
+ShadowWalker
+Links |
+
+ |
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses |
+
+ |
Yahoyah is also known as:
+KeyBoy
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah |
+
+ |
yayih is also known as:
+bbsinfo
+aumlib
+Links |
+
+ |
+ |
Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.
+PE timestamps suggest that it came into existence in the second half of 2014.
+Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).
+YoungLotus is also known as:
+DarkShare
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus |
+
+ |
yty is also known as:
+Links |
+
+ |
https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ |
+
+ |
Zebrocy is also known as:
+Zekapab
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy |
+
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ |
+
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
+
Zebrocy (AutoIT) is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3 |
+
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ |
+
Zedhou is also known as:
+Links |
+
+ |
ZeroAccess is also known as:
+Max++
+Smiscer
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess |
+
https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/ |
+
https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/ |
+
http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html |
+
+ |
+ |
+ |
+ |
http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html |
+
ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.
+It first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=). +So far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.
+The ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).
+ZeroEvil is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil |
+
https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/ |
+
ZeroT is also known as:
+Links |
+
+ |
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx |
+
Zeus is also known as:
+Zbot
+Links |
+
+ |
http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html |
+
http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html |
+
+ |
https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20 |
+
https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite |
+
+ |
+ |
+ |
+ |
+ |
+ |
http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html |
+
http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html |
+
http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html |
+
http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html |
+
http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html |
+
+ |
http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html |
+
Zeus MailSniffer is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer |
+
Zeus Sphinx is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx |
+
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/ |
+
+ |
+ |
The sample listed here was previously mislabeled and is now integrated into win.floki_bot. The family is to-be-updated once we have a "real" Zeus SSL sample.
+Zeus SSL is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_ssl |
+
Zezin is also known as:
+Links |
+
+ |
+ |
+ |
ZhCat is also known as:
+Links |
+
+ |
+ |
ZhMimikatz is also known as:
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz |
+
+ |
A banking trojan first observed in October 2016 has grown into a sophisticated hacking tool that works primarily as a banking trojan, but could also be used as an infostealer or backdoor.
+Zloader is also known as:
+Zeus Terdot
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader |
+
https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/ |
+
+ |
+ |
ZoxPNG is also known as:
+gresim
+Links |
+
+ |
http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf |
+
ZXShell is also known as:
+Sensocode
+Links |
+
https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell |
+
+ |
+ |
+ |
Zyklon is also known as:
+Links |
+
+ |
PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.