Skip to content

Commit

Permalink
Merge pull request #1022 from Delta-Sierra/main
Browse files Browse the repository at this point in the history
 SloppyLemming relationsships
  • Loading branch information
adulau authored Sep 30, 2024
2 parents b1e0026 + a71f9c7 commit 7daede8
Show file tree
Hide file tree
Showing 6 changed files with 144 additions and 7 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements

[Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware.

Category: *tool* - source: *Open Sources* - total: *28* elements
Category: *tool* - source: *Open Sources* - total: *29* elements

[[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]

Expand All @@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47

[Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy

Category: *tool* - source: *MISP Project* - total: *130* elements
Category: *tool* - source: *MISP Project* - total: *132* elements

[[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]

Expand Down
12 changes: 11 additions & 1 deletion clusters/backdoor.json
Original file line number Diff line number Diff line change
Expand Up @@ -488,7 +488,17 @@
],
"uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff",
"value": "TERRIBLETEA"
},
{
"description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
]
},
"uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4",
"value": "Merdoor"
}
],
"version": 19
"version": 20
}
24 changes: 23 additions & 1 deletion clusters/botnet.json
Original file line number Diff line number Diff line change
Expand Up @@ -2031,7 +2031,29 @@
},
"uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff",
"value": "Ztorg"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router",
"https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd"
],
"synonyms": [
"7777"
]
},
"uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22",
"value": "Quad7"
},
{
"meta": {
"refs": [
"https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router"
]
},
"uuid": "963d898f-dc48-409e-8069-aaa51ad6664c",
"value": "63256 botnet"
}
],
"version": 35
"version": 36
}
9 changes: 9 additions & 0 deletions clusters/ransomware.json
Original file line number Diff line number Diff line change
Expand Up @@ -1494,6 +1494,15 @@
"HavocCrypt Ransomware"
]
},
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"value": "Havoc"
},
Expand Down
90 changes: 89 additions & 1 deletion clusters/threat-actor.json
Original file line number Diff line number Diff line change
Expand Up @@ -15224,6 +15224,15 @@
"Outrider Tiger"
]
},
"related": [
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"value": "Fishing Elephant"
},
Expand Down Expand Up @@ -16738,9 +16747,88 @@
"https://blog.cloudflare.com/unraveling-sloppylemming-operations/"
]
},
"related": [
{
"dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
},
{
"dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "targets"
}
],
"uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"value": "SloppyLemming"
}
],
"version": 314
"version": 315
}
12 changes: 10 additions & 2 deletions clusters/tool.json
Original file line number Diff line number Diff line change
Expand Up @@ -1882,7 +1882,8 @@
"refs": [
"http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html",
"https://blogs.cisco.com/security/talos/opening-zxshell",
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox"
"https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor"
],
"synonyms": [
"Sensode"
Expand Down Expand Up @@ -9208,6 +9209,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "similar"
},
{
"dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d",
Expand Down Expand Up @@ -11075,5 +11083,5 @@
"value": "SLIVER"
}
],
"version": 173
"version": 174
}

0 comments on commit 7daede8

Please sign in to comment.