MISP
/
misp-website
mirror of https://github.com/MISP/misp-website
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: galaxy updated

pull/4/head
Alexandre Dulaunoy 2018-03-15 07:17:11 +01:00
parent 43feeeec0d
commit 901dd21cc2
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 20595 additions and 16398 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

460
galaxy.html
View File

@ -91750,7 +91750,7 @@ Tool is a cluster galaxy available in JSON format at <a href="https://github.com
<dl>
<dt class="hdlist1">authors</dt>
<dd>
<p>Alexandre Dulaunoy - Florian Roth - Timo Steffens - Christophe Vandeplas</p>
<p>Alexandre Dulaunoy - Florian Roth - Timo Steffens - Christophe Vandeplas - Dennis Rand</p>
</dd>
</dl>
</div>
@ -99102,12 +99102,468 @@ The Nautilus service listens for HTTP requests from clients to process
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_coraldeck"><a class="anchor" href="#_coraldeck"></a><a class="link" href="#_coraldeck">CORALDECK</a></h3>
<div class="paragraph">
<p>CORALDECK is an exfiltration tool that searches for specified files and exfiltrates them in password protected archives using hardcoded HTTP POST headers. CORALDECK has been observed dropping and using Winrar to exfiltrate data in password protected RAR files as well as WinImage and zip archives</p>
</div>
<div class="paragraph">
<p>CORALDECK is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>APT.InfoStealer.Win.CORALDECK</p>
</li>
<li>
<p>FE_APT_InfoStealer_Win_CORALDECK_1</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2794. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_dogcall"><a class="anchor" href="#_dogcall"></a><a class="link" href="#_dogcall">DOGCALL</a></h3>
<div class="paragraph">
<p>DOGCALL is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex. DOGCALL was used to target South Korean Government and military organizations in March and April 2017. The malware is typically dropped using an HWP exploit in a lure document. The wiper tool, RUHAPPY, was found on some of the systems targeted by DOGCALL. While DOGCALL is primarily an espionage tool, RUHAPPY is a destructive wiper tool meant to render systems inoperable.</p>
</div>
<div class="paragraph">
<p>DOGCALL is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_RAT_DOGCALL</p>
</li>
<li>
<p>FE_APT_Backdoor_Win32_DOGCALL_1</p>
</li>
<li>
<p>APT.Backdoor.Win.DOGCALL</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2795. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_gelcapsule"><a class="anchor" href="#_gelcapsule"></a><a class="link" href="#_gelcapsule">GELCAPSULE</a></h3>
<div class="paragraph">
<p>GELCAPSULE is a downloader traditionally dropped or downloaded by an exploit document. GELCAPSULE has been observed downloading SLOWDRIFT to victim systems.</p>
</div>
<div class="paragraph">
<p>GELCAPSULE is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Downloader_Win32_GELCAPSULE_1</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2796. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_happywork"><a class="anchor" href="#_happywork"></a><a class="link" href="#_happywork">HAPPYWORK</a></h3>
<div class="paragraph">
<p>HAPPYWORK is a malicious downloader that can download and execute a second-stage payload, collect system information, and beacon it to the command and control domains. The collected system information includes: computer name, user name, system manufacturer via registry, IsDebuggerPresent state, and execution path. In November 2016, HAPPYWORK targeted government and financial targets in South Korea.</p>
</div>
<div class="paragraph">
<p>HAPPYWORK is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Downloader_HAPPYWORK</p>
</li>
<li>
<p>FE_APT_Exploit_HWP_Happy</p>
</li>
<li>
<p>Downloader.APT.HAPPYWORK</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2797. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_karae"><a class="anchor" href="#_karae"></a><a class="link" href="#_karae">KARAE</a></h3>
<div class="paragraph">
<p>Karae backdoors are typically used as first-stage malware after an initial compromise. The backdoors can collect system information, upload and download files, and may be used to retrieve a second-stage payload. The malware uses public cloud-based storage providers for command and control. In March 2016, KARAE malware was distributed through torrent file-sharing websites for South Korean users. During this campaign, the malware used a YouTube video downloader application as a lure.</p>
</div>
<div class="paragraph">
<p>KARAE is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Backdoor_Karae_enc</p>
</li>
<li>
<p>FE_APT_Backdoor_Karae</p>
</li>
<li>
<p>Backdoor.APT.Karae</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2798. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_milkdrop"><a class="anchor" href="#_milkdrop"></a><a class="link" href="#_milkdrop">MILKDROP</a></h3>
<div class="paragraph">
<p>MILKDROP is a launcher that sets a persistence registry key and launches a backdoor.</p>
</div>
<div class="paragraph">
<p>MILKDROP is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_Trojan_Win32_MILKDROP_1</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2799. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_pooraim"><a class="anchor" href="#_pooraim"></a><a class="link" href="#_pooraim">POORAIM</a></h3>
<div class="paragraph">
<p>POORAIM malware is designed with basic backdoor functionality and leverages AOL Instant Messenger for command and control communications. POORAIM includes the following capabilities: System information enumeration, File browsing, manipulation and exfiltration, Process enumeration, Screen capture, File execution, Exfiltration of browser favorites, and battery status. Exfiltrated data is sent via files over AIM. POORAIM has been involved in campaigns against South Korean media organizations and sites relating to North Korean refugees and defectors since early 2014. Compromised sites have acted as watering holes to deliver newer variants of POORAIM.</p>
</div>
<div class="paragraph">
<p>POORAIM is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Backdoor.APT.POORAIM</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2800. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_ricecurry"><a class="anchor" href="#_ricecurry"></a><a class="link" href="#_ricecurry">RICECURRY</a></h3>
<div class="paragraph">
<p>RICECURRY is a Javascript based profiler used to fingerprint a victim&#8217;s web browser and deliver malicious code in return. Browser, operating system, and Adobe Flash version are detected by RICECURRY, which may be a modified version of PluginDetect.</p>
</div>
<div class="paragraph">
<p>RICECURRY is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Exploit.APT.RICECURRY</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2801. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_ruhappy"><a class="anchor" href="#_ruhappy"></a><a class="link" href="#_ruhappy">RUHAPPY</a></h3>
<div class="paragraph">
<p>RUHAPPY is a destructive wiper tool seen on systems targeted by DOGCALL. It attempts to overwrite the MBR, causing the system not to boot. When victims' systems attempt to boot, the string 'Are you Happy?' is displayed. The malware is believed to be tied to the developers of DOGCALL and HAPPYWORK based on similar PDB paths in all three.</p>
</div>
<div class="paragraph">
<p>RUHAPPY is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Trojan_Win32_RUHAPPY_1</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2802. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_shutterspeed"><a class="anchor" href="#_shutterspeed"></a><a class="link" href="#_shutterspeed">SHUTTERSPEED</a></h3>
<div class="paragraph">
<p>SHUTTERSPEED is a backdoor that can collect system information, acquire screenshots, and download/execute an arbitrary executable. SHUTTERSPEED typically requires an argument at runtime in order to execute fully. Observed arguments used by SHUTTERSPEED include: 'help', 'console', and 'sample'. The spear phishing email messages contained documents exploiting RTF vulnerability CVE-2017-0199. Many of the compromised domains in the command and control infrastructure are linked to South Korean companies. Most of these domains host a fake webpage pertinent to targets.</p>
</div>
<div class="paragraph">
<p>SHUTTERSPEED is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Backdoor_SHUTTERSPEED</p>
</li>
<li>
<p>APT.Backdoor.SHUTTERSPEED</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2803. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_slowdrift"><a class="anchor" href="#_slowdrift"></a><a class="link" href="#_slowdrift">SLOWDRIFT</a></h3>
<div class="paragraph">
<p>SLOWDRIFT is a launcher that communicates via cloud based infrastructure. It sends system information to the attacker command and control and then downloads and executes additional payloads.Lure documents distributing SLOWDRIFT were not tailored for specific victims, suggesting that TEMP.Reaper is attempting to widen its target base across multiple industries and in the private sector. SLOWDRIFT was seen being deployed against academic and strategic targets in South Korea using lure emails with documents leveraging the HWP exploit. Recent SLOWDRIFT samples were uncovered in June 2017 with lure documents pertaining to cyber crime prevention and news stories. These documents were last updated by the same actor who developed KARAE, POORAIM and ZUMKONG.</p>
</div>
<div class="paragraph">
<p>SLOWDRIFT is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Downloader_Win_SLOWDRIFT_1</p>
</li>
<li>
<p>FE_APT_Downloader_Win_SLOWDRIFT_2</p>
</li>
<li>
<p>APT.Downloader.SLOWDRIFT</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2804. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_soundwave"><a class="anchor" href="#_soundwave"></a><a class="link" href="#_soundwave">SOUNDWAVE</a></h3>
<div class="paragraph">
<p>SOUNDWAVE is a windows based audio capturing utility. Via command line it accepts the -l switch (for listen probably), captures microphone input for 100 minutes, writing the data out to a log file in this format: C:\Temp\HncDownload\YYYYMMDDHHMMSS.log.</p>
</div>
<div class="paragraph">
<p>SOUNDWAVE is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_HackTool_Win32_SOUNDWAVE_1</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2805. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_zumkong"><a class="anchor" href="#_zumkong"></a><a class="link" href="#_zumkong">ZUMKONG</a></h3>
<div class="paragraph">
<p>ZUMKONG is a credential stealer capable of harvesting usernames and passwords stored by Internet Explorer and Chrome browsers. Stolen credentials are emailed to the attacker via HTTP POST requests to mail[.]zmail[.]ru.</p>
</div>
<div class="paragraph">
<p>ZUMKONG is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Trojan_Zumkong</p>
</li>
<li>
<p>Trojan.APT.Zumkong</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2806. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
<div class="sect2">
<h3 id="_winerack"><a class="anchor" href="#_winerack"></a><a class="link" href="#_winerack">WINERACK</a></h3>
<div class="paragraph">
<p>WINERACK is backdoor whose primary features include user and host information gathering, process creation and termination, filesystem and registry manipulation, as well as the creation of a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands. Other capabilities include the enumeration of files, directories, services, active windows and processes.</p>
</div>
<div class="paragraph">
<p>WINERACK is also known as:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>FE_APT_Backdoor_WINERACK</p>
</li>
<li>
<p>Backdoor.APT.WINERACK</p>
</li>
</ul>
</div>
<table class="tableblock frame-all grid-all spread">
<caption class="title">Table 2807. Table References</caption>
<colgroup>
<col style="width: 100%;">
</colgroup>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">Links</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf">https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf</a></p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2018-03-13 17:39:10 CET
Last updated 2018-03-15 07:13:57 CET
</div>
</div>
</body>

36533
galaxy.pdf
View File

File diff suppressed because one or more lines are too long