From 70b0823947cb10d7bb02a31aee4674ae723daefe Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 27 Sep 2024 14:23:01 +0200 Subject: [PATCH 1/2] SloppyLemming relationsships --- clusters/backdoor.json | 12 ++++- clusters/botnet.json | 24 +++++++++- clusters/ransomware.json | 11 ++++- clusters/threat-actor.json | 90 +++++++++++++++++++++++++++++++++++++- clusters/tool.json | 12 ++++- 5 files changed, 143 insertions(+), 6 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index d41dede8..25cfd997 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -488,7 +488,17 @@ ], "uuid": "4838b37b-2d1f-4cb8-945d-7185580f0bff", "value": "TERRIBLETEA" + }, + { + "description": "Merdoor is a fully-featured backdoor that appears to have been in existence since 2018.\nThe backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands\nInstances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory\nTypically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" + ] + }, + "uuid": "8ebda9f4-f8f2-4d35-ba2b-d6ecb54b23d4", + "value": "Merdoor" } ], - "version": 19 + "version": 20 } diff --git a/clusters/botnet.json b/clusters/botnet.json index c3d9d0a7..05e7fbd3 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2031,7 +2031,29 @@ }, "uuid": "40cd57f6-39c9-4a9f-b4cf-de4762642bff", "value": "Ztorg" + }, + { + "meta": { + "refs": [ + "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router", + "https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd" + ], + "synonyms": [ + "7777" + ] + }, + "uuid": "3e027dad-9c0a-437e-9938-dd3cf13b0c22", + "value": "Quad7" + }, + { + "meta": { + "refs": [ + "https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromised-router" + ] + }, + "uuid": "963d898f-dc48-409e-8069-aaa51ad6664c", + "value": "63256 botnet" } ], - "version": 35 + "version": 36 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2a91f5c2..7b4287c6 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -1494,6 +1494,15 @@ "HavocCrypt Ransomware" ] }, + "related": [ + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", "value": "Havoc" }, @@ -29684,5 +29693,5 @@ "value": "orca" } ], - "version": 133 + "version": 134 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3cce334d..5fce6346 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -15215,6 +15215,15 @@ "Outrider Tiger" ] }, + "related": [ + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", "value": "Fishing Elephant" }, @@ -16710,9 +16719,88 @@ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ] }, + "related": [ + { + "dest-uuid": "0df34184-4ccf-4357-8e8e-e990058d2992", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b250414b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b2424744", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b249444e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24c4b41", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b243484e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "84668357-5a8c-4bdd-9f0f-6b50b24e504c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + }, + { + "dest-uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "targets" + } + ], "uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", "value": "SloppyLemming" } ], - "version": 314 + "version": 315 } diff --git a/clusters/tool.json b/clusters/tool.json index d9d9cdb6..3ac50d62 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1882,7 +1882,8 @@ "refs": [ "http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html", "https://blogs.cisco.com/security/talos/opening-zxshell", - "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" + "https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" ], "synonyms": [ "Sensode" @@ -9208,6 +9209,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" + }, + { + "dest-uuid": "6f7489f5-7edc-4693-b35a-44e79c969678", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" } ], "uuid": "97f26fab-af0e-4da9-b4c1-aec70cace22d", @@ -11075,5 +11083,5 @@ "value": "SLIVER" } ], - "version": 173 + "version": 174 } From a71f9c7e944c42a6d4b854ed7138c8c46a44435e Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 30 Sep 2024 10:41:46 +0200 Subject: [PATCH 2/2] update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8b3c6f9e..fd1d6b9b 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements [Backdoor](https://www.misp-galaxy.org/backdoor) - A list of backdoor malware. -Category: *tool* - source: *Open Sources* - total: *28* elements +Category: *tool* - source: *Open Sources* - total: *29* elements [[HTML](https://www.misp-galaxy.org/backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] @@ -87,7 +87,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47 [Botnet](https://www.misp-galaxy.org/botnet) - botnet galaxy -Category: *tool* - source: *MISP Project* - total: *130* elements +Category: *tool* - source: *MISP Project* - total: *132* elements [[HTML](https://www.misp-galaxy.org/botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]