Introduction
The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.
MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.
Funding and Support
The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .
A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.
If you are interested to co-fund projects around MISP, feel free to get in touch with us.
MISP galaxy
360.net Threat Actors
Known or estimated adversary groups as identified by 360.net..
360.net Threat Actors is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
360.net
CIA - APT-C-39
APT-C-39是一个来自美国,与NSA存在联系,系属于CIA的高规格,高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击
The tag is: misp-galaxy:360net-threat-actor="CIA - APT-C-39"
CIA - APT-C-39 is also known as:
Links |
海莲花 - APT-C-00
海莲花(OceanLotus)APT团伙是一个高度组织化的、专业化的境外国家级黑客组织,其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。
The tag is: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00"
海莲花 - APT-C-00 is also known as:
-
OceanLotus
海莲花 - APT-C-00 has relationships with:
-
similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT32 - G0050" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Canvas Cyclone" with estimative-language:likelihood-probability="likely"
Links |
摩诃草 - APT-C-09
摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自南亚地区的境外APT组织,该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动,但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击,相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。
The tag is: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09"
摩诃草 - APT-C-09 is also known as:
-
HangOver
-
VICEROY TIGER
-
The Dropping Elephant
-
Patchwork
摩诃草 - APT-C-09 has relationships with:
-
similar: misp-galaxy:threat-actor="VICEROY TIGER" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:threat-actor="QUILTED TIGER" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="likely"
Links |
黄金鼠 - APT-C-27
从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台,截至目前我们一共捕获了Android平台攻击样本29个,Windows平台攻击样本55个,涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠,主要是考虑了以下几方面的因素:一是该组织在攻击过程中使用了大量的资源,说明该攻击组织资源丰富,而黄金鼠有长期在野外囤积粮食的习惯,字面上也有丰富的含义;二、该攻击组织通常是间隔一段时间出来攻击一次,这跟鼠有相通的地方;三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。
The tag is: misp-galaxy:360net-threat-actor="黄金鼠 - APT-C-27"
黄金鼠 - APT-C-27 is also known as:
Links |
Lazarus - APT-C-26
Lazarus组织是疑似来自朝鲜的APT组织,该组织长期对韩国、美国进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示,Lazarus组织与2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。
The tag is: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26"
Lazarus - APT-C-26 is also known as:
-
APT38
Lazarus - APT-C-26 has relationships with:
-
similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT38 - G0082" with estimative-language:likelihood-probability="likely"
Links |
黄金雕 - APT-C-34
黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克斯坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)。
The tag is: misp-galaxy:360net-threat-actor="黄金雕 - APT-C-34"
黄金雕 - APT-C-34 is also known as:
Links |
盲眼鹰 - APT-C-36
从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows,攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所,而哥伦比亚在足球领域又被称为南美雄鹰,结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则,我们将该组织命名为盲眼鹰(APT-C-36)。
The tag is: misp-galaxy:360net-threat-actor="盲眼鹰 - APT-C-36"
盲眼鹰 - APT-C-36 is also known as:
Links |
毒针 - APT-C-31
2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。
The tag is: misp-galaxy:360net-threat-actor="毒针 - APT-C-31"
毒针 - APT-C-31 is also known as:
Links |
ArmaRat - APT-C-33
2016年7月,360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马,入侵成功后攻击者可以完全控制用户手机,并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字,所以我们将该组织命名为“ArmaRat”。
The tag is: misp-galaxy:360net-threat-actor="ArmaRat - APT-C-33"
ArmaRat - APT-C-33 is also known as:
Links |
军刀狮 - APT-C-38
从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。
The tag is: misp-galaxy:360net-threat-actor="军刀狮 - APT-C-38"
军刀狮 - APT-C-38 is also known as:
Links |
拍拍熊 - APT-C-37
拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。
The tag is: misp-galaxy:360net-threat-actor="拍拍熊 - APT-C-37"
拍拍熊 - APT-C-37 is also known as:
Links |
人面狮 - APT-C-15
人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。
The tag is: misp-galaxy:360net-threat-actor="人面狮 - APT-C-15"
人面狮 - APT-C-15 is also known as:
Links |
美人鱼 - APT-C-07
美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。
The tag is: misp-galaxy:360net-threat-actor="美人鱼 - APT-C-07"
美人鱼 - APT-C-07 is also known as:
Links |
双尾蝎 - APT-C-23
2016年5月起至今,双尾蝎组织(APT-C-23)对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android,攻击范围主要为中东地区,截至目前我们一共捕获了Android样本24个,Windows样本19个,涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎,主要是考虑了以下几方面的因素:一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家,这种情况在以往并不多见;二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子,如海莲花,但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台,并且在Android平台上攻击如此活跃的APT组织,在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。
The tag is: misp-galaxy:360net-threat-actor="双尾蝎 - APT-C-23"
双尾蝎 - APT-C-23 is also known as:
Links |
蓝宝菇 - APT-C-12
从2011年开始持续至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。
The tag is: misp-galaxy:360net-threat-actor="蓝宝菇 - APT-C-12"
蓝宝菇 - APT-C-12 is also known as:
-
核危机行动(Operation NuclearCrisis)
Links |
毒云藤 - APT-C-01
APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。
The tag is: misp-galaxy:360net-threat-actor="毒云藤 - APT-C-01"
毒云藤 - APT-C-01 is also known as:
-
穷奇
-
白海豚
-
绿斑
Links |
Darkhotel - APT-C-06
Darkhotel(APT-C-06)是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel(暗黑客栈),是因为他们的一次攻击行动被曝光,主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。
The tag is: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06"
Darkhotel - APT-C-06 is also known as:
-
Luder
-
Karba
-
Tapaoux
-
Dubnium
-
SIG25
Darkhotel - APT-C-06 has relationships with:
-
similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Darkhotel - G0012" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="DUBNIUM" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Zigzag Hail" with estimative-language:likelihood-probability="likely"
Links |
奇幻熊 - APT-C-20
APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞,相关恶意代码除了针对windows、Linux等PC操作系统,还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动,用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关,而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。
The tag is: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20"
奇幻熊 - APT-C-20 is also known as:
-
APT28
-
Pawn Storm
-
Sofacy Group
-
Sednit
-
Fancy Bear
-
STRONTIUM
奇幻熊 - APT-C-20 has relationships with:
-
similar: misp-galaxy:threat-actor="APT28" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Forest Blizzard" with estimative-language:likelihood-probability="likely"
Links |
沙虫 - APT-C-13
沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动,还针对SCADA系统进行了攻击,研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明,针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话,那有可能幕后会关联到沙虫组织。
The tag is: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13"
沙虫 - APT-C-13 is also known as:
-
SandWorm
沙虫 - APT-C-13 has relationships with:
-
similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:microsoft-activity-group="Seashell Blizzard" with estimative-language:likelihood-probability="likely"
Links |
肚脑虫 - APT-C-35
APT-C-35(肚脑虫)组织,又称Donot,是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光,随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月,至今活跃,攻击方式主要采用鱼叉邮件进行攻击。
The tag is: misp-galaxy:360net-threat-actor="肚脑虫 - APT-C-35"
肚脑虫 - APT-C-35 is also known as:
-
Donot
Links |
蔓灵花 - APT-C-08
蔓灵花组织利用鱼叉邮件以及系统漏洞等方式,主要攻击政府、电力和工业相关单位,以窃取敏感信息为主。国外样本最早出现在2013年11月,样本编译时间集中出现在2015年7月至2016年9月期间,2016年网络安全公司Forcepoint最早报告了这一组织,随后被多次发现,至今还非常活跃。
The tag is: misp-galaxy:360net-threat-actor="蔓灵花 - APT-C-08"
蔓灵花 - APT-C-08 is also known as:
Links |
索伦之眼 - APT-C-16
索伦之眼组织(APT-C-16),又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年,至今还非常活跃。该组织整个攻击过程中是高度隐蔽,且针对性极强,对特定目标采用定制的恶意程序或通信设施,不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式(Equation)媲美,其综合能力不弱于震网(Stuxnet)、火焰(Flame)等APT组织。
The tag is: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16"
索伦之眼 - APT-C-16 is also known as:
-
Sauron
-
Strider
索伦之眼 - APT-C-16 has relationships with:
-
similar: misp-galaxy:threat-actor="ProjectSauron" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Strider - G0041" with estimative-language:likelihood-probability="likely"
Links |
潜行者 - APT-C-30
潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。
The tag is: misp-galaxy:360net-threat-actor="潜行者 - APT-C-30"
潜行者 - APT-C-30 is also known as:
Links |
响尾蛇 - APT-C-24
APT-C-24又名Sidewinder、Rattlesnake等,是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标,主要攻击该国家/地区的政府、军事、外交等领域,最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初,该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击,通过近年来对该组织的追踪发现,Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标,因此需要更加地警惕小心。
The tag is: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24"
响尾蛇 - APT-C-24 is also known as:
-
SideWinder
响尾蛇 - APT-C-24 has relationships with:
-
similar: misp-galaxy:threat-actor="RAZOR TIGER" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Sidewinder - G0121" with estimative-language:likelihood-probability="likely"
Links |
ScarCruft - APT-C-28
APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光,随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。
The tag is: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28"
ScarCruft - APT-C-28 is also known as:
-
APT37(Reaper)
-
Group123
ScarCruft - APT-C-28 has relationships with:
-
similar: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="APT37 - G0067" with estimative-language:likelihood-probability="likely"
Links |
Turla - APT-C-29
Turla Group又名Waterbug、Venomous Bear、Group 88等,是具有俄罗斯背景的APT组织,至少从1996年就开始活跃,2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家,攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域,因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。
The tag is: misp-galaxy:360net-threat-actor="Turla - APT-C-29"
Turla - APT-C-29 is also known as:
-
Turla, Waterbug, Venomous Bear, Group 88
Links |
Carbanak - APT-C-11
Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。
The tag is: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11"
Carbanak - APT-C-11 is also known as:
-
Anunak
Carbanak - APT-C-11 has relationships with:
-
similar: misp-galaxy:mitre-intrusion-set="Carbanak - G0008" with estimative-language:likelihood-probability="likely"
Links |
飞鲨 - APT-C-17
APT-C-17是360发现的一起APT攻击,我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。
The tag is: misp-galaxy:360net-threat-actor="飞鲨 - APT-C-17"
飞鲨 - APT-C-17 is also known as:
Links |
方程式 - APT-C-40
APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。
The tag is: misp-galaxy:360net-threat-actor="方程式 - APT-C-40"
方程式 - APT-C-40 is also known as:
Links |
透明部落 - APT-C-56
Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等,是具有巴基斯坦背景的APT组织,攻击活动影响范围较广,但主要攻击目标为印度国家的政府、军方等组织,此外为保障国家利益,巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现,近年来一直处于活跃状态。2020年初,利用有关印巴两国边境争端的诱饵文档,向印度政府组织、国防人员发起了鱼叉式网络攻击,也就是‘Honey Trap’行动,以此来窃取国家机密及敏感数据。
The tag is: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56"
透明部落 - APT-C-56 is also known as:
-
APT36
-
ProjectM
-
C-Major
透明部落 - APT-C-56 has relationships with:
-
similar: misp-galaxy:threat-actor="Operation C-Major" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Transparent Tribe - G0134" with estimative-language:likelihood-probability="likely"
Links |
腾云蛇 - APT-C-61
APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。
The tag is: misp-galaxy:360net-threat-actor="腾云蛇 - APT-C-61"
腾云蛇 - APT-C-61 is also known as:
Links |
Kimsuky - APT-C-55
Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃,常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。
The tag is: misp-galaxy:360net-threat-actor="Kimsuky - APT-C-55"
Kimsuky - APT-C-55 is also known as:
Links |
卢甘斯克组织 - APT-C-46
2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。
The tag is: misp-galaxy:360net-threat-actor="卢甘斯克组织 - APT-C-46"
卢甘斯克组织 - APT-C-46 is also known as:
-
APT-C-46
Links |
旺刺组织 - APT-C-47
近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动,通过360高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露APT组织的攻击行动,攻击目标涉及与半岛地区有关联的实体机构和个人,根据360安全大脑的数据分析显示,该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露,我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织,并为其分配了新编号APT-C-47。
The tag is: misp-galaxy:360net-threat-actor="旺刺组织 - APT-C-47"
旺刺组织 - APT-C-47 is also known as:
-
APT-C-47
Links |
DomesticKitten - APT-C-50
Domestic Kitten(Check Point),别名APT-C-50。最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括中东某国内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是,所有攻击目标都是中东某国公民。伊斯兰革命卫队(IRGC)、情报部、内政部等中东某国政府机构可能为该组织提供支持。
The tag is: misp-galaxy:360net-threat-actor="DomesticKitten - APT-C-50"
DomesticKitten - APT-C-50 is also known as:
-
APT-C-50
Links |
SandCat - APT-C-32
SandCat由卡巴斯基在2018年首次发现,该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力,曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。
The tag is: misp-galaxy:360net-threat-actor="SandCat - APT-C-32"
SandCat - APT-C-32 is also known as:
Links |
CNC - APT-C-48
该组织于2019年发现,因为样本的pdb路径中有cnc_client字符,所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业,窃取情报。在攻击过程中会尝试使用Nday,并且有能够开发GO语言木马的开发人员。
The tag is: misp-galaxy:360net-threat-actor="CNC - APT-C-48"
CNC - APT-C-48 is also known as:
Links |
蓝色魔眼 - APT-C-41
APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。
The tag is: misp-galaxy:360net-threat-actor="蓝色魔眼 - APT-C-41"
蓝色魔眼 - APT-C-41 is also known as:
Links |
Machete - APT-C-43
El Machete由卡巴斯基首次发现,最早的攻击可以追溯至2014年,主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark,通过对该后门的深入挖掘和溯源分析,我们发现了一系列从2019年起便一直活跃的高级威胁行动,攻击者通过入侵委内瑞拉的多处军事机构,部署后门病毒,不间断的监控和窃取最新的军事机密。
The tag is: misp-galaxy:360net-threat-actor="Machete - APT-C-43"
Machete - APT-C-43 is also known as:
-
Machete
Machete - APT-C-43 has relationships with:
-
similar: misp-galaxy:threat-actor="El Machete" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:mitre-intrusion-set="Machete - G0095" with estimative-language:likelihood-probability="likely"
Links |
Gamaredon - APT-C-53
Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha,至少从2013年就开始活跃,是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来,该组成员也不断升级其技战术,开发定制化的恶意软件,这也加大了安全人员对其进行捕获与追踪的难度。
The tag is: misp-galaxy:360net-threat-actor="Gamaredon - APT-C-53"
Gamaredon - APT-C-53 is also known as:
Links |
北非狐 - APT-C-44
北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。
The tag is: misp-galaxy:360net-threat-actor="北非狐 - APT-C-44"
北非狐 - APT-C-44 is also known as:
Links |
WellMess - APT-C-42
WELLMESS组织是一个较新的俄语系境外APT组织,最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击,并且曾进行过超两年的供应链攻击,同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位,以窃取文件为主。
The tag is: misp-galaxy:360net-threat-actor="WellMess - APT-C-42"
WellMess - APT-C-42 is also known as:
Links |
Android
Android malware galaxy based on multiple open sources..
Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown
CopyCat
CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.
The tag is: misp-galaxy:android="CopyCat"
Links |
Andr/Dropr-FH
Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.
The tag is: misp-galaxy:android="Andr/Dropr-FH"
Andr/Dropr-FH is also known as:
-
GhostCtrl
Andr/Dropr-FH has relationships with:
-
similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"
Links |
Judy
The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.
The tag is: misp-galaxy:android="Judy"
Links |
RedAlert2
The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.
The tag is: misp-galaxy:android="RedAlert2"
RedAlert2 has relationships with:
-
similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"
Tizi
Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.
The tag is: misp-galaxy:android="Tizi"
Links |
https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html |
DoubleLocker
DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.
The tag is: misp-galaxy:android="DoubleLocker"
DoubleLocker has relationships with:
-
similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"
Links |
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/ |
Svpeng
Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.
The tag is: misp-galaxy:android="Svpeng"
Svpeng is also known as:
-
Invisble Man
Svpeng has relationships with:
-
similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/ |
https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/ |
LokiBot
LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.
The tag is: misp-galaxy:android="LokiBot"
LokiBot has relationships with:
-
similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"
Links |
https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html |
BankBot
The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.
The tag is: misp-galaxy:android="BankBot"
BankBot has relationships with:
-
similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"
Links |
https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot |
Viking Horde
In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.
The tag is: misp-galaxy:android="Viking Horde"
Links |
http://www.alwayson-network.com/worst-types-android-malware-2016/ |
HummingBad
A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.
The tag is: misp-galaxy:android="HummingBad"
HummingBad has relationships with:
-
similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"
Links |
http://www.alwayson-network.com/worst-types-android-malware-2016/ |
http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf |
Ackposts
Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.
The tag is: misp-galaxy:android="Ackposts"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99 |
Wirex
Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.
The tag is: misp-galaxy:android="Wirex"
WannaLocker
WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.
The tag is: misp-galaxy:android="WannaLocker"
Links |
https://fossbytes.com/wannalocker-ransomware-wannacry-android/ |
Switcher
Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.
The tag is: misp-galaxy:android="Switcher"
Switcher has relationships with:
-
similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"
Links |
https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/ |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99 |
Vibleaker
Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.
The tag is: misp-galaxy:android="Vibleaker"
Links |
http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml |
ExpensiveWall
ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge
The tag is: misp-galaxy:android="ExpensiveWall"
Links |
Cepsohord
Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.
The tag is: misp-galaxy:android="Cepsohord"
Links |
https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord |
Fakem Rat
Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).
The tag is: misp-galaxy:android="Fakem Rat"
GM Bot
GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.
The tag is: misp-galaxy:android="GM Bot"
GM Bot is also known as:
-
Acecard
-
SlemBunk
-
Bankosy
GM Bot has relationships with:
-
similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"
Links |
https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide |
Moplus
The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.
The tag is: misp-galaxy:android="Moplus"
Links |
http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html |
Adwind
Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.
The tag is: misp-galaxy:android="Adwind"
Adwind is also known as:
-
AlienSpy
-
Frutas
-
Unrecom
-
Sockrat
-
Jsocket
-
jRat
-
Backdoor:Java/Adwind
Adwind has relationships with:
-
similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"
Links |
AdSms
Adsms is a Trojan horse that may send SMS messages from Android devices.
The tag is: misp-galaxy:android="AdSms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99 |
Airpush
Airpush is a very aggresive Ad - Network
The tag is: misp-galaxy:android="Airpush"
Airpush is also known as:
-
StopSMS
Links |
https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf |
BeanBot
BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.
The tag is: misp-galaxy:android="BeanBot"
Links |
https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml |
Kemoge
Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.
The tag is: misp-galaxy:android="Kemoge"
Kemoge has relationships with:
-
similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"
Links |
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99 |
Ghost Push
Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.
The tag is: misp-galaxy:android="Ghost Push"
Links |
https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push |
BeNews
The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.
The tag is: misp-galaxy:android="BeNews"
Links |
Accstealer
Accstealer is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Accstealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99 |
Acnetdoor
Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.
The tag is: misp-galaxy:android="Acnetdoor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99 |
Acnetsteal
Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.
The tag is: misp-galaxy:android="Acnetsteal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99 |
Actech
Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Actech"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99 |
AdChina
AdChina is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdChina"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99 |
Adfonic
Adfonic is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adfonic"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99 |
AdInfo
AdInfo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdInfo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99 |
Adknowledge
Adknowledge is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adknowledge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99 |
AdMarvel
AdMarvel is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdMarvel"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99 |
AdMob
AdMob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AdMob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99 |
Adrd
Adrd is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Adrd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99 |
Aduru
Aduru is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Aduru"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99 |
Adwhirl
Adwhirl is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adwhirl"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99 |
Adwlauncher
Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Adwlauncher"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99 |
Adwo
Adwo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Adwo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99 |
Airad
Airad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Airad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99 |
Alienspy
Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.
The tag is: misp-galaxy:android="Alienspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99 |
AmazonAds
AmazonAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AmazonAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99 |
Answerbot
Answerbot is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Answerbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99 |
Antammi
Antammi is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Antammi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99 |
Apkmore
Apkmore is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Apkmore"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99 |
Aplog
Aplog is a Trojan horse for Android devices that steals information from the device.
The tag is: misp-galaxy:android="Aplog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99 |
Appenda
Appenda is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Appenda"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99 |
Apperhand
Apperhand is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Apperhand"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99 |
Appleservice
Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Appleservice"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99 |
AppLovin
AppLovin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="AppLovin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99 |
Arspam
Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.
The tag is: misp-galaxy:android="Arspam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99 |
Aurecord
Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Aurecord"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99 |
Backapp
Backapp is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Backapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99 |
Backdexer
Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.
The tag is: misp-galaxy:android="Backdexer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99 |
Backflash
Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Backflash"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99 |
Backscript
Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.
The tag is: misp-galaxy:android="Backscript"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99 |
Badaccents
Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.
The tag is: misp-galaxy:android="Badaccents"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99 |
Badpush
Badpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Badpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99 |
Ballonpop
Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Ballonpop"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99 |
Bankosy
Bankosy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Bankosy"
Bankosy has relationships with:
-
similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99 |
Bankun
Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.
The tag is: misp-galaxy:android="Bankun"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99 |
Basebridge
Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Basebridge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99 |
Basedao
Basedao is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Basedao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99 |
Batterydoctor
Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.
The tag is: misp-galaxy:android="Batterydoctor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99 |
Beaglespy
Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.
The tag is: misp-galaxy:android="Beaglespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99 |
Becuro
Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.
The tag is: misp-galaxy:android="Becuro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99 |
Beita
Beita is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Beita"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99 |
Bgserv
Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.
The tag is: misp-galaxy:android="Bgserv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99 |
Biigespy
Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.
The tag is: misp-galaxy:android="Biigespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99 |
Bmaster
Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Bmaster"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99 |
Bossefiv
Bossefiv is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Bossefiv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99 |
Boxpush
Boxpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Boxpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99 |
Burstly
Burstly is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Burstly"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99 |
Buzzcity
Buzzcity is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Buzzcity"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99 |
ByPush
ByPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ByPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99 |
Cajino
Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Cajino"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99 |
Casee
Casee is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Casee"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99 |
Catchtoken
Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.
The tag is: misp-galaxy:android="Catchtoken"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99 |
Cauly
Cauly is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Cauly"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99 |
Cellshark
Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.
The tag is: misp-galaxy:android="Cellshark"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99 |
Centero
Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.
The tag is: misp-galaxy:android="Centero"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99 |
Chuli
Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.
The tag is: misp-galaxy:android="Chuli"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99 |
Citmo
Citmo is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Citmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99 |
Claco
Claco is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Claco"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99 |
Clevernet
Clevernet is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Clevernet"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99 |
Cnappbox
Cnappbox is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Cnappbox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99 |
Cobblerone
Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.
The tag is: misp-galaxy:android="Cobblerone"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99 |
Coolpaperleak
Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Coolpaperleak"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99 |
Coolreaper
Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.
The tag is: misp-galaxy:android="Coolreaper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99 |
Cosha
Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Cosha"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99 |
Counterclank
Counterclank is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Counterclank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99 |
Crazymedia
Crazymedia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Crazymedia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99 |
Crisis
Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Crisis"
Crisis has relationships with:
-
similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99 |
Crusewind
Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Crusewind"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99 |
Dandro
Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.
The tag is: misp-galaxy:android="Dandro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99 |
Daoyoudao
Daoyoudao is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Daoyoudao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99 |
Deathring
Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.
The tag is: misp-galaxy:android="Deathring"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99 |
Deeveemap
Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.
The tag is: misp-galaxy:android="Deeveemap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99 |
Dendoroid
Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.
The tag is: misp-galaxy:android="Dendoroid"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99 |
Dengaru
Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.
The tag is: misp-galaxy:android="Dengaru"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99 |
Diandong
Diandong is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Diandong"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99 |
Dianjin
Dianjin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dianjin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99 |
Dogowar
Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.
The tag is: misp-galaxy:android="Dogowar"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99 |
Domob
Domob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Domob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99 |
Dougalek
Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.
The tag is: misp-galaxy:android="Dougalek"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99 |
Dowgin
Dowgin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dowgin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99 |
Droidsheep
Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.
The tag is: misp-galaxy:android="Droidsheep"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99 |
Dropdialer
Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Dropdialer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99 |
Dupvert
Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.
The tag is: misp-galaxy:android="Dupvert"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99 |
Dynamicit
Dynamicit is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Dynamicit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99 |
Ecardgrabber
Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.
The tag is: misp-galaxy:android="Ecardgrabber"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99 |
Ecobatry
Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Ecobatry"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99 |
Enesoluty
Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Enesoluty"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99 |
Everbadge
Everbadge is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Everbadge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99 |
Ewalls
Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.
The tag is: misp-galaxy:android="Ewalls"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99 |
Exprespam
Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.
The tag is: misp-galaxy:android="Exprespam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99 |
Fakealbums
Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.
The tag is: misp-galaxy:android="Fakealbums"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99 |
Fakeangry
Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Fakeangry"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99 |
Fakeapp
Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.
The tag is: misp-galaxy:android="Fakeapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99 |
Fakebanco
Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.
The tag is: misp-galaxy:android="Fakebanco"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99 |
Fakebank
Fakebank is a Trojan horse that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakebank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99 |
Fakebank.B
Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakebank.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99 |
Fakebok
Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.
The tag is: misp-galaxy:android="Fakebok"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99 |
Fakedaum
Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakedaum"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99 |
Fakedefender
Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakedefender"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99 |
Fakedefender.B
Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakedefender.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99 |
Fakedown
Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.
The tag is: misp-galaxy:android="Fakedown"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99 |
Fakeflash
Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.
The tag is: misp-galaxy:android="Fakeflash"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99 |
Fakegame
Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakegame"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99 |
Fakeguard
Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakeguard"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99 |
Fakejob
Fakejob is a Trojan horse for Android devices that redirects users to scam websites.
The tag is: misp-galaxy:android="Fakejob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99 |
Fakekakao
Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.
The tag is: misp-galaxy:android="Fakekakao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99 |
Fakelemon
Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.
The tag is: misp-galaxy:android="Fakelemon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99 |
Fakelicense
Fakelicense is a Trojan horse that displays advertisements on the compromised device.
The tag is: misp-galaxy:android="Fakelicense"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99 |
Fakelogin
Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakelogin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99 |
FakeLookout
FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.
The tag is: misp-galaxy:android="FakeLookout"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99 |
FakeMart
FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.
The tag is: misp-galaxy:android="FakeMart"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99 |
Fakemini
Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.
The tag is: misp-galaxy:android="Fakemini"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99 |
Fakemrat
Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Fakemrat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99 |
Fakeneflic
Fakeneflic is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Fakeneflic"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99 |
Fakenotify
Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.
The tag is: misp-galaxy:android="Fakenotify"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99 |
Fakepatch
Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.
The tag is: misp-galaxy:android="Fakepatch"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99 |
Fakeplay
Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.
The tag is: misp-galaxy:android="Fakeplay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99 |
Fakescarav
Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.
The tag is: misp-galaxy:android="Fakescarav"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99 |
Fakesecsuit
Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fakesecsuit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99 |
Fakesucon
Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Fakesucon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99 |
Faketaobao
Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Faketaobao"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99 |
Faketaobao.B
Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.
The tag is: misp-galaxy:android="Faketaobao.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99 |
Faketoken
Faketoken is a Trojan horse that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Faketoken"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99 |
http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/ |
Fakeupdate
Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.
The tag is: misp-galaxy:android="Fakeupdate"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99 |
Fakevoice
Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.
The tag is: misp-galaxy:android="Fakevoice"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99 |
Farmbaby
Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.
The tag is: misp-galaxy:android="Farmbaby"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99 |
Fauxtocopy
Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.
The tag is: misp-galaxy:android="Fauxtocopy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99 |
Feiwo
Feiwo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Feiwo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99 |
FindAndCall
FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.
The tag is: misp-galaxy:android="FindAndCall"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99 |
Finfish
Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Finfish"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99 |
Fireleaker
Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fireleaker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99 |
Fitikser
Fitikser is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Fitikser"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99 |
Flexispy
Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Flexispy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99 |
Fokonge
Fokonge is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Fokonge"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99 |
FoncySMS
FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.
The tag is: misp-galaxy:android="FoncySMS"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99 |
Frogonal
Frogonal is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Frogonal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99 |
Ftad
Ftad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Ftad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99 |
Funtasy
Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.
The tag is: misp-galaxy:android="Funtasy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99 |
GallMe
GallMe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="GallMe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99 |
Gamex
Gamex is a Trojan horse for Android devices that downloads further threats.
The tag is: misp-galaxy:android="Gamex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99 |
Gappusin
Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.
The tag is: misp-galaxy:android="Gappusin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99 |
Gazon
Gazon is a worm for Android devices that spreads through SMS messages.
The tag is: misp-galaxy:android="Gazon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99 |
Geinimi
Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.
The tag is: misp-galaxy:android="Geinimi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99 |
Generisk
Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.
The tag is: misp-galaxy:android="Generisk"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99 |
Genheur
Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.
The tag is: misp-galaxy:android="Genheur"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99 |
Genpush
Genpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Genpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99 |
GeoFake
GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.
The tag is: misp-galaxy:android="GeoFake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99 |
Geplook
Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.
The tag is: misp-galaxy:android="Geplook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99 |
Getadpush
Getadpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Getadpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99 |
Ggtracker
Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.
The tag is: misp-galaxy:android="Ggtracker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99 |
Ghostpush
Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.
The tag is: misp-galaxy:android="Ghostpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99 |
Gmaster
Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Gmaster"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99 |
Godwon
Godwon is a Trojan horse for Android devices that steals information.
The tag is: misp-galaxy:android="Godwon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99 |
Golddream
Golddream is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Golddream"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99 |
Goldeneagle
Goldeneagle is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Goldeneagle"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99 |
Golocker
Golocker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Golocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99 |
Gomal
Gomal is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Gomal"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99 |
Gonesixty
Gonesixty is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonesixty"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99 |
Gonfu
Gonfu is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonfu"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99 |
Gonfu.B
Gonfu.B is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Gonfu.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99 |
Gonfu.C
Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.
The tag is: misp-galaxy:android="Gonfu.C"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99 |
Gonfu.D
Gonfu.D is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Gonfu.D"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99 |
Gooboot
Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.
The tag is: misp-galaxy:android="Gooboot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99 |
Goodadpush
Goodadpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Goodadpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99 |
Greystripe
Greystripe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Greystripe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99 |
Gugespy
Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.
The tag is: misp-galaxy:android="Gugespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99 |
Gugespy.B
Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Gugespy.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99 |
Gupno
Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.
The tag is: misp-galaxy:android="Gupno"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99 |
Habey
Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.
The tag is: misp-galaxy:android="Habey"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99 |
Handyclient
Handyclient is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Handyclient"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99 |
Hehe
Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.
The tag is: misp-galaxy:android="Hehe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99 |
Hesperbot
Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.
The tag is: misp-galaxy:android="Hesperbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99 |
Hippo
Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Hippo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99 |
Hippo.B
Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Hippo.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99 |
IadPush
IadPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="IadPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99 |
iBanking
iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.
The tag is: misp-galaxy:android="iBanking"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99 |
Iconosis
Iconosis is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Iconosis"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99 |
Iconosys
Iconosys is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Iconosys"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99 |
Igexin
Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,
The tag is: misp-galaxy:android="Igexin"
Igexin is also known as:
-
IcicleGum
Igexin has relationships with:
-
similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"
ImAdPush
ImAdPush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ImAdPush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99 |
InMobi
InMobi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="InMobi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99 |
Jifake
Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Jifake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99 |
Jollyserv
Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.
The tag is: misp-galaxy:android="Jollyserv"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99 |
Jsmshider
Jsmshider is a Trojan horse that opens a back door on Android devices.
The tag is: misp-galaxy:android="Jsmshider"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99 |
Ju6
Ju6 is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Ju6"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99 |
Jumptap
Jumptap is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Jumptap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99 |
Jzmob
Jzmob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Jzmob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99 |
Kabstamper
Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.
The tag is: misp-galaxy:android="Kabstamper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99 |
Kidlogger
Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Kidlogger"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99 |
Kielog
Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.
The tag is: misp-galaxy:android="Kielog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99 |
Kituri
Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Kituri"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99 |
Kranxpay
Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.
The tag is: misp-galaxy:android="Kranxpay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99 |
Krysanec
Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Krysanec"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99 |
Kuaidian360
Kuaidian360 is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Kuaidian360"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99 |
Kuguo
Kuguo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Kuguo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99 |
Lastacloud
Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Lastacloud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99 |
Laucassspy
Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Laucassspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99 |
Lifemonspy
Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.
The tag is: misp-galaxy:android="Lifemonspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99 |
Lightdd
Lightdd is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Lightdd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99 |
Loaderpush
Loaderpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Loaderpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99 |
Locaspy
Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.
The tag is: misp-galaxy:android="Locaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99 |
Lockdroid.E
Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.E"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99 |
Lockdroid.F
Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.F"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99 |
Lockdroid.G
Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.G"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99 |
Lockdroid.H
Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.
The tag is: misp-galaxy:android="Lockdroid.H"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99 |
Lockscreen
Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.
The tag is: misp-galaxy:android="Lockscreen"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99 |
LogiaAd
LogiaAd is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="LogiaAd"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99 |
Loicdos
Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.
The tag is: misp-galaxy:android="Loicdos"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99 |
Loozfon
Loozfon is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Loozfon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99 |
Lotoor
Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.
The tag is: misp-galaxy:android="Lotoor"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99 |
Lovespy
Lovespy is a Trojan horse for Android devices that steals information from the device.
The tag is: misp-galaxy:android="Lovespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99 |
Lovetrap
Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Lovetrap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99 |
Luckycat
Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.
The tag is: misp-galaxy:android="Luckycat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99 |
Machinleak
Machinleak is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Machinleak"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99 |
Maistealer
Maistealer is a Trojan that steals information from Android devices.
The tag is: misp-galaxy:android="Maistealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99 |
Malapp
Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.
The tag is: misp-galaxy:android="Malapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99 |
Malebook
Malebook is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Malebook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99 |
Malhome
Malhome is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Malhome"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99 |
Malminer
Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.
The tag is: misp-galaxy:android="Malminer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99 |
Mania
Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Mania"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99 |
Maxit
Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.
The tag is: misp-galaxy:android="Maxit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99 |
MdotM
MdotM is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MdotM"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99 |
Medialets
Medialets is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Medialets"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99 |
Meshidden
Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Meshidden"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99 |
Mesploit
Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.
The tag is: misp-galaxy:android="Mesploit"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99 |
Mesprank
Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Mesprank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99 |
Meswatcherbox
Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.
The tag is: misp-galaxy:android="Meswatcherbox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99 |
Miji
Miji is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Miji"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99 |
Milipnot
Milipnot is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Milipnot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99 |
MillennialMedia
MillennialMedia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MillennialMedia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99 |
Mitcad
Mitcad is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mitcad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99 |
MobClix
MobClix is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobClix"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99 |
MobFox
MobFox is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobFox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99 |
Mobidisplay
Mobidisplay is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mobidisplay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99 |
Mobigapp
Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.
The tag is: misp-galaxy:android="Mobigapp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99 |
MobileBackup
MobileBackup is a spyware application for Android devices that monitors the affected device.
The tag is: misp-galaxy:android="MobileBackup"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99 |
Mobilespy
Mobilespy is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Mobilespy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99 |
Mobiletx
Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.
The tag is: misp-galaxy:android="Mobiletx"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99 |
Mobinaspy
Mobinaspy is a spyware application for Android devices that can track the device’s location.
The tag is: misp-galaxy:android="Mobinaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99 |
Mobus
Mobus is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mobus"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99 |
MobWin
MobWin is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MobWin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99 |
Mocore
Mocore is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Mocore"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99 |
Moghava
Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.
The tag is: misp-galaxy:android="Moghava"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99 |
Momark
Momark is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Momark"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99 |
Monitorello
Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Monitorello"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99 |
Moolah
Moolah is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Moolah"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99 |
MoPub
MoPub is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="MoPub"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99 |
Morepaks
Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.
The tag is: misp-galaxy:android="Morepaks"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99 |
Nandrobox
Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.
The tag is: misp-galaxy:android="Nandrobox"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99 |
Netisend
Netisend is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Netisend"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99 |
Nickispy
Nickispy is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Nickispy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99 |
Notcompatible
Notcompatible is a Trojan horse for Android devices that acts as a proxy.
The tag is: misp-galaxy:android="Notcompatible"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99 |
Nuhaz
Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.
The tag is: misp-galaxy:android="Nuhaz"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99 |
Nyearleaker
Nyearleaker is a Trojan horse program for Android devices that steals information.
The tag is: misp-galaxy:android="Nyearleaker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99 |
Obad
Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.
The tag is: misp-galaxy:android="Obad"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99 |
Oneclickfraud
Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.
The tag is: misp-galaxy:android="Oneclickfraud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99 |
Opfake
Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.
The tag is: misp-galaxy:android="Opfake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99 |
Opfake.B
Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.
The tag is: misp-galaxy:android="Opfake.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99 |
Ozotshielder
Ozotshielder is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Ozotshielder"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99 |
Pafloat
Pafloat is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Pafloat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99 |
PandaAds
PandaAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="PandaAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99 |
Pandbot
Pandbot is a Trojan horse for Android devices that may download more files onto the device.
The tag is: misp-galaxy:android="Pandbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99 |
Pdaspy
Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.
The tag is: misp-galaxy:android="Pdaspy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99 |
Penetho
Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.
The tag is: misp-galaxy:android="Penetho"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99 |
Perkel
Perkel is a Trojan horse for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Perkel"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99 |
Phimdropper
Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.
The tag is: misp-galaxy:android="Phimdropper"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99 |
Phospy
Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.
The tag is: misp-galaxy:android="Phospy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99 |
Piddialer
Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.
The tag is: misp-galaxy:android="Piddialer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99 |
Pikspam
Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.
The tag is: misp-galaxy:android="Pikspam"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99 |
Pincer
Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.
The tag is: misp-galaxy:android="Pincer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99 |
Pirator
Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.
The tag is: misp-galaxy:android="Pirator"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99 |
Pjapps
Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.
The tag is: misp-galaxy:android="Pjapps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99 |
Pjapps.B
Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Pjapps.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99 |
Pletora
Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.
The tag is: misp-galaxy:android="Pletora"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99 |
Poisoncake
Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.
The tag is: misp-galaxy:android="Poisoncake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99 |
Pontiflex
Pontiflex is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Pontiflex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99 |
Positmob
Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.
The tag is: misp-galaxy:android="Positmob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99 |
Premiumtext
Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.
The tag is: misp-galaxy:android="Premiumtext"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99 |
Pris
Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.
The tag is: misp-galaxy:android="Pris"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99 |
Qdplugin
Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Qdplugin"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99 |
Qicsomos
Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Qicsomos"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99 |
Qitmo
Qitmo is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Qitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99 |
Rabbhome
Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Rabbhome"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99 |
Repane
Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.
The tag is: misp-galaxy:android="Repane"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99 |
Reputation.1
Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.1"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99 |
Reputation.2
Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.2"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99 |
Reputation.3
Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.
The tag is: misp-galaxy:android="Reputation.3"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99 |
RevMob
RevMob is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="RevMob"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99 |
Roidsec
Roidsec is a Trojan horse for Android devices that steals confidential information.
The tag is: misp-galaxy:android="Roidsec"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99 |
Rootcager
Rootcager is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Rootcager"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99 |
Rootnik
Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.
The tag is: misp-galaxy:android="Rootnik"
Rootnik has relationships with:
-
similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99 |
Rufraud
Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.
The tag is: misp-galaxy:android="Rufraud"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99 |
Rusms
Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.
The tag is: misp-galaxy:android="Rusms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99 |
Samsapo
Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.
The tag is: misp-galaxy:android="Samsapo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99 |
Sandorat
Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.
The tag is: misp-galaxy:android="Sandorat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99 |
Sberick
Sberick is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sberick"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99 |
Scartibro
Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.
The tag is: misp-galaxy:android="Scartibro"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99 |
Scipiex
Scipiex is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Scipiex"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99 |
Selfmite
Selfmite is a worm for Android devices that spreads through SMS messages.
The tag is: misp-galaxy:android="Selfmite"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99 |
Selfmite.B
Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.
The tag is: misp-galaxy:android="Selfmite.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99 |
SellARing
SellARing is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="SellARing"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99 |
SendDroid
SendDroid is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="SendDroid"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99 |
Simhosy
Simhosy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Simhosy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99 |
Simplocker
Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.
The tag is: misp-galaxy:android="Simplocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99 |
Simplocker.B
Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.
The tag is: misp-galaxy:android="Simplocker.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99 |
Skullkey
Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.
The tag is: misp-galaxy:android="Skullkey"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99 |
Smaato
Smaato is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Smaato"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99 |
Smbcheck
Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.
The tag is: misp-galaxy:android="Smbcheck"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99 |
Smsblocker
Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.
The tag is: misp-galaxy:android="Smsblocker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99 |
Smsbomber
Smsbomber is a program that can be used to send messages to contacts on the device.
The tag is: misp-galaxy:android="Smsbomber"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99 |
Smslink
Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.
The tag is: misp-galaxy:android="Smslink"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99 |
Smspacem
Smspacem is a Trojan horse that may send SMS messages from Android devices.
The tag is: misp-galaxy:android="Smspacem"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99 |
SMSReplicator
SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.
The tag is: misp-galaxy:android="SMSReplicator"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99 |
Smssniffer
Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.
The tag is: misp-galaxy:android="Smssniffer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99 |
Smsstealer
Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Smsstealer"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99 |
Smstibook
Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Smstibook"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99 |
Smszombie
Smszombie is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Smszombie"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99 |
Snadapps
Snadapps is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Snadapps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99 |
Sockbot
Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.
The tag is: misp-galaxy:android="Sockbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99 |
Sockrat
Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Sockrat"
Sockrat has relationships with:
-
similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99 |
Sofacy
Sofacy is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sofacy"
Sofacy has relationships with:
-
similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99 |
Sosceo
Sosceo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Sosceo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99 |
Spitmo
Spitmo is a Trojan horse that steals information from Android devices.
The tag is: misp-galaxy:android="Spitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99 |
Spitmo.B
Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Spitmo.B"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99 |
Spyagent
Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.
The tag is: misp-galaxy:android="Spyagent"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99 |
Spybubble
Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.
The tag is: misp-galaxy:android="Spybubble"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99 |
Spydafon
Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.
The tag is: misp-galaxy:android="Spydafon"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99 |
Spymple
Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.
The tag is: misp-galaxy:android="Spymple"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99 |
Spyoo
Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.
The tag is: misp-galaxy:android="Spyoo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99 |
Spytekcell
Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.
The tag is: misp-galaxy:android="Spytekcell"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99 |
Spytrack
Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.
The tag is: misp-galaxy:android="Spytrack"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99 |
Spywaller
Spywaller is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Spywaller"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99 |
Stealthgenie
Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Stealthgenie"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99 |
Steek
Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.
The tag is: misp-galaxy:android="Steek"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99 |
Stels
Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Stels"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99 |
Stiniter
Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.
The tag is: misp-galaxy:android="Stiniter"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99 |
Sumzand
Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.
The tag is: misp-galaxy:android="Sumzand"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99 |
Sysecsms
Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Sysecsms"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99 |
Tanci
Tanci is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tanci"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99 |
Tapjoy
Tapjoy is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tapjoy"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99 |
Tapsnake
Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.
The tag is: misp-galaxy:android="Tapsnake"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99 |
Tascudap
Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.
The tag is: misp-galaxy:android="Tascudap"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99 |
Teelog
Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Teelog"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99 |
Temai
Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.
The tag is: misp-galaxy:android="Temai"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99 |
Tetus
Tetus is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Tetus"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99 |
Tgpush
Tgpush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Tgpush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99 |
Tigerbot
Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.
The tag is: misp-galaxy:android="Tigerbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99 |
Tonclank
Tonclank is a Trojan horse that steals information and may open a back door on Android devices.
The tag is: misp-galaxy:android="Tonclank"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99 |
Trogle
Trogle is a worm for Android devices that may steal information from the compromised device.
The tag is: misp-galaxy:android="Trogle"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99 |
Twikabot
Twikabot is a Trojan horse for Android devices that attempts to steal information.
The tag is: misp-galaxy:android="Twikabot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99 |
Uapush
Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.
The tag is: misp-galaxy:android="Uapush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99 |
Umeng
Umeng is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Umeng"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99 |
Updtbot
Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.
The tag is: misp-galaxy:android="Updtbot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99 |
Upush
Upush is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Upush"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99 |
Uracto
Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.
The tag is: misp-galaxy:android="Uracto"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99 |
Uranico
Uranico is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Uranico"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99 |
Usbcleaver
Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Usbcleaver"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99 |
Utchi
Utchi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Utchi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99 |
Uten
Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.
The tag is: misp-galaxy:android="Uten"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99 |
Uupay
Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.
The tag is: misp-galaxy:android="Uupay"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99 |
Uxipp
Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.
The tag is: misp-galaxy:android="Uxipp"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99 |
Vdloader
Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.
The tag is: misp-galaxy:android="Vdloader"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99 |
VDopia
VDopia is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="VDopia"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99 |
Virusshield
Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.
The tag is: misp-galaxy:android="Virusshield"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99 |
VServ
VServ is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="VServ"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99 |
Walkinwat
Walkinwat is a Trojan horse that steals information from the compromised device.
The tag is: misp-galaxy:android="Walkinwat"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99 |
Waps
Waps is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Waps"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99 |
Waren
Waren is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Waren"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99 |
Windseeker
Windseeker is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Windseeker"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99 |
Wiyun
Wiyun is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wiyun"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99 |
Wooboo
Wooboo is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wooboo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99 |
Wqmobile
Wqmobile is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Wqmobile"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99 |
YahooAds
YahooAds is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="YahooAds"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99 |
Yatoot
Yatoot is a Trojan horse for Android devices that steals information from the compromised device.
The tag is: misp-galaxy:android="Yatoot"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99 |
Yinhan
Yinhan is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Yinhan"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99 |
Youmi
Youmi is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="Youmi"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99 |
YuMe
YuMe is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="YuMe"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99 |
Zeahache
Zeahache is a Trojan horse that elevates privileges on the compromised device.
The tag is: misp-galaxy:android="Zeahache"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99 |
ZertSecurity
ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.
The tag is: misp-galaxy:android="ZertSecurity"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99 |
ZestAdz
ZestAdz is an advertisement library that is bundled with certain Android applications.
The tag is: misp-galaxy:android="ZestAdz"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99 |
Zeusmitmo
Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.
The tag is: misp-galaxy:android="Zeusmitmo"
Links |
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99 |
SLocker
The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.
The tag is: misp-galaxy:android="SLocker"
SLocker is also known as:
-
SMSLocker
Links |
http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/ |
Loapi
A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.
The tag is: misp-galaxy:android="Loapi"
Links |
Podec
Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.
The tag is: misp-galaxy:android="Podec"
Links |
Chamois
Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.
The tag is: misp-galaxy:android="Chamois"
IcicleGum
IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.
The tag is: misp-galaxy:android="IcicleGum"
IcicleGum has relationships with:
-
similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
BreadSMS
BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.
The tag is: misp-galaxy:android="BreadSMS"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
JamSkunk
JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.
The tag is: misp-galaxy:android="JamSkunk"
Expensive Wall
Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.
The tag is: misp-galaxy:android="Expensive Wall"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
BambaPurple
BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.
The tag is: misp-galaxy:android="BambaPurple"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
KoreFrog
KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.
The tag is: misp-galaxy:android="KoreFrog"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
Gaiaphish
Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)
The tag is: misp-galaxy:android="Gaiaphish"
Links |
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf |
RedDrop
RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.
The tag is: misp-galaxy:android="RedDrop"
Links |
https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/ |
HenBox
HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.
The tag is: misp-galaxy:android="HenBox"
Links |
https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/ |
MysteryBot
Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.
The tag is: misp-galaxy:android="MysteryBot"
MysteryBot has relationships with:
-
similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"
Links |
Skygofree
At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.
The tag is: misp-galaxy:android="Skygofree"
Skygofree has relationships with:
-
similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/ |
BusyGasper
A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.
The tag is: misp-galaxy:android="BusyGasper"
Links |
Triout
Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.
The tag is: misp-galaxy:android="Triout"
Links |
AndroidOS_HidenAd
active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store
The tag is: misp-galaxy:android="AndroidOS_HidenAd"
AndroidOS_HidenAd is also known as:
-
AndroidOS_HiddenAd
Links |
Razdel
The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.
The tag is: misp-galaxy:android="Razdel"
Links |
https://mobile.twitter.com/pr3wtd/status/1097477833625088000 |
Vulture
Vulture is an Android banking trojan found in Google Play by ThreatFabric. It uses screen recording and keylogging as main strategy to harvest login credentials.
The tag is: misp-galaxy:android="Vulture"
Links |
Anubis
Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.
The tag is: misp-galaxy:android="Anubis"
Links |
GodFather
The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. Group-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.
The tag is: misp-galaxy:android="GodFather"
GodFather has relationships with:
-
successor-of: misp-galaxy:android="Anubis" with estimative-language:likelihood-probability="likely"
Links |
Azure Threat Research Matrix
The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse..
Azure Threat Research Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
AlertIQ - Craig Fretwell - Dor Edry - Jonny Johnson - Karl Fosaaen - MITRE ATT&CK - Manuel Berrueta - Microsoft - Nestori Syynimaa - Nikhil Mittal - Ram Pliskin - Roberto Rodriguez - Ryan Cobb
AZT101 - Port Mapping
It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface’s assigned Network Security Group
The tag is: misp-galaxy:atrm="AZT101 - Port Mapping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101 |
AZT102 - IP Discovery
It is possible to view the IP address on a resource by viewing the Virtual Network Interface
The tag is: misp-galaxy:atrm="AZT102 - IP Discovery"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102 |
AZT103 - Public Accessible Resource
A resource within Azure is accessible from the public internet.
The tag is: misp-galaxy:atrm="AZT103 - Public Accessible Resource"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103 |
AZT104 - Gather User Information
An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user’s roles and group memberships within AAD.
The tag is: misp-galaxy:atrm="AZT104 - Gather User Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104 |
AZT105 - Gather Application Information
An adversary may obtain information about an application within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT105 - Gather Application Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105 |
AZT106 - Gather Role Information
An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.
The tag is: misp-galaxy:atrm="AZT106 - Gather Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106 |
AZT106.1 - Gather AAD Role Information
An adversary may gather role assignments within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT106.1 - Gather AAD Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1 |
AZT106.2 - Gather Application Role Information
An adversary may gather information about an application role & it’s member assignments within Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT106.2 - Gather Application Role Information"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2 |
AZT106.3 - Gather Azure Resources Role Assignments
An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.
The tag is: misp-galaxy:atrm="AZT106.3 - Gather Azure Resources Role Assignments"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3 |
AZT107 - Gather Resource Data
An adversary may obtain information and data within a resource.
The tag is: misp-galaxy:atrm="AZT107 - Gather Resource Data"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107 |
AZT108 - Gather Victim Data
An adversary may access a user’s personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.
The tag is: misp-galaxy:atrm="AZT108 - Gather Victim Data"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108 |
AZT201 - Valid Credentials
Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.
The tag is: misp-galaxy:atrm="AZT201 - Valid Credentials"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201 |
AZT201.1 - User Account
By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.
The tag is: misp-galaxy:atrm="AZT201.1 - User Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1 |
AZT201.2 - Service Principal
By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.
The tag is: misp-galaxy:atrm="AZT201.2 - Service Principal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2 |
AZT202 - Password Spraying
An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.
The tag is: misp-galaxy:atrm="AZT202 - Password Spraying"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202 |
AZT203 - Malicious Application Consent
An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.
The tag is: misp-galaxy:atrm="AZT203 - Malicious Application Consent"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203 |
AZT301 - Virtual Machine Scripting
Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.
The tag is: misp-galaxy:atrm="AZT301 - Virtual Machine Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301 |
AZT301.1 - RunCommand
By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.
The tag is: misp-galaxy:atrm="AZT301.1 - RunCommand"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1 |
AZT301.2 - CustomScriptExtension
By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.2 - CustomScriptExtension"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2 |
AZT301.3 - Desired State Configuration
By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.3 - Desired State Configuration"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3 |
AZT301.4 - Compute Gallery Application
By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.
The tag is: misp-galaxy:atrm="AZT301.4 - Compute Gallery Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4 |
AZT301.5 - AKS Command Invoke
By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster’s VM as SYSTEM
The tag is: misp-galaxy:atrm="AZT301.5 - AKS Command Invoke"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5 |
AZT301.6 - Vmss Run Command
By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.
The tag is: misp-galaxy:atrm="AZT301.6 - Vmss Run Command"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6 |
AZT301.7 - Serial Console
By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.
The tag is: misp-galaxy:atrm="AZT301.7 - Serial Console"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7 |
AZT302 - Serverless Scripting
Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.
The tag is: misp-galaxy:atrm="AZT302 - Serverless Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302 |
AZT302.1 - Automation Account Runbook Hybrid Worker Group
By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.
The tag is: misp-galaxy:atrm="AZT302.1 - Automation Account Runbook Hybrid Worker Group"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1 |
AZT302.2 - Automation Account Runbook RunAs Account
By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.
The tag is: misp-galaxy:atrm="AZT302.2 - Automation Account Runbook RunAs Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2 |
AZT302.3 - Automation Account Runbook Managed Identity
By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.
The tag is: misp-galaxy:atrm="AZT302.3 - Automation Account Runbook Managed Identity"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3 |
AZT302.4 - Function Application
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT302.4 - Function Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4 |
AZT303 - Managed Device Scripting
Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.
The tag is: misp-galaxy:atrm="AZT303 - Managed Device Scripting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303 |
AZT401 - Privileged Identity Management Role
An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).
The tag is: misp-galaxy:atrm="AZT401 - Privileged Identity Management Role"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401 |
AZT402 - Elevated Access Toggle
An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator
The tag is: misp-galaxy:atrm="AZT402 - Elevated Access Toggle"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402 |
AZT403 - Local Resource Hijack
By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.
The tag is: misp-galaxy:atrm="AZT403 - Local Resource Hijack"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1 |
AZT404 - Principal Impersonation
Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.
The tag is: misp-galaxy:atrm="AZT404 - Principal Impersonation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404 |
AZT404.1 - Function Application
By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.1 - Function Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1 |
AZT404.2 - Logic Application
By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.2 - Logic Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2 |
AZT404.3 - Automation Account
By utilizing a Function Application, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.3 - Automation Account"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3 |
AZT404.4 - App Service
By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.
The tag is: misp-galaxy:atrm="AZT404.4 - App Service"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4 |
AZT405 - Azure AD Application
Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.
The tag is: misp-galaxy:atrm="AZT405 - Azure AD Application"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405 |
AZT405.1 - Application API Permissions
By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.
The tag is: misp-galaxy:atrm="AZT405.1 - Application API Permissions"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1 |
AZT405.2 - Application Role
By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.
The tag is: misp-galaxy:atrm="AZT405.2 - Application Role"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2 |
AZT405.3 - Application Registration Owner
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
The tag is: misp-galaxy:atrm="AZT405.3 - Application Registration Owner"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3 |
AZT501 - Account Manipulation
An adverary may manipulate an account to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501 - Account Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501 |
AZT501.1 - User Account Manipulation
An adverary may manipulate a user account to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501.1 - User Account Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1 |
AZT501.2 - Service Principal Manipulation
An adverary may manipulate a service principal to maintain access in an Azure tenant
The tag is: misp-galaxy:atrm="AZT501.2 - Service Principal Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2 |
AZT501.3 - Azure VM Local Administrator Manipulation
An adverary may manipulate the local admin account on an Azure VM
The tag is: misp-galaxy:atrm="AZT501.3 - Azure VM Local Administrator Manipulation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3 |
AZT502 - Account Creation
An adversary may create an account in Azure Active Directory.
The tag is: misp-galaxy:atrm="AZT502 - Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502 |
AZT502.1 - User Account Creation
An adversary may create an application & service principal in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.1 - User Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1 |
AZT502.2 - Service Principal Creation
An adversary may create an application & service principal in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.2 - Service Principal Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2 |
AZT502.3 - Guest Account Creation
An adversary may create a guest account in Azure Active Directory
The tag is: misp-galaxy:atrm="AZT502.3 - Guest Account Creation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3 |
AZT503 - HTTP Trigger
Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.
The tag is: misp-galaxy:atrm="AZT503 - HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503 |
AZT503.1 - Logic Application HTTP Trigger
Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
The tag is: misp-galaxy:atrm="AZT503.1 - Logic Application HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1 |
AZT503.2 - Function App HTTP Trigger
Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.
The tag is: misp-galaxy:atrm="AZT503.2 - Function App HTTP Trigger"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2 |
AZT503.3 - Runbook Webhook
Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.
The tag is: misp-galaxy:atrm="AZT503.3 - Runbook Webhook"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3 |
AZT503.4 - WebJob
Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule
The tag is: misp-galaxy:atrm="AZT503.4 - WebJob"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4 |
AZT504 - Watcher Tasks
By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.
The tag is: misp-galaxy:atrm="AZT504 - Watcher Tasks"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504 |
AZT505 - Scheduled Jobs
Adversaries may create a schedule for a Runbook to run at a defined interval.
The tag is: misp-galaxy:atrm="AZT505 - Scheduled Jobs"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1 |
AZT506 - Network Security Group Modification
Adversaries can modify the rules in a Network Security Group to establish access over additional ports.
The tag is: misp-galaxy:atrm="AZT506 - Network Security Group Modification"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506 |
AZT507 - External Entity Access
Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.
The tag is: misp-galaxy:atrm="AZT507 - External Entity Access"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507 |
AZT507.1 - Azure Lighthouse
Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant
The tag is: misp-galaxy:atrm="AZT507.1 - Azure Lighthouse"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1 |
AZT507.2 - Microsoft Partners
Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.
The tag is: misp-galaxy:atrm="AZT507.2 - Microsoft Partners"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2 |
AZT507.3 - Subscription Hijack
An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.
The tag is: misp-galaxy:atrm="AZT507.3 - Subscription Hijack"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3 |
AZT507.4 - Domain Trust Modification
An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.
The tag is: misp-galaxy:atrm="AZT507.4 - Domain Trust Modification"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4 |
AZT508 - Azure Policy
By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.
The tag is: misp-galaxy:atrm="AZT508 - Azure Policy"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508 |
AZT601 - Steal Managed Identity JsonWebToken
An adverary may utilize the resource’s functionality to obtain a JWT for the applied Managed Identity Service Principal account.
The tag is: misp-galaxy:atrm="AZT601 - Steal Managed Identity JsonWebToken"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601 |
AZT601.1 - Virtual Machine IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.
The tag is: misp-galaxy:atrm="AZT601.1 - Virtual Machine IMDS Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1 |
AZT601.2 - Azure Kubernetes Service IMDS Request
By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.
The tag is: misp-galaxy:atrm="AZT601.2 - Azure Kubernetes Service IMDS Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2 |
AZT601.3 - Logic Application JWT PUT Request
If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.3 - Logic Application JWT PUT Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3 |
AZT601.4 - Function Application JWT GET Request
If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.4 - Function Application JWT GET Request"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4 |
AZT601.5 - Automation Account Runbook
If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity’s JWT.
The tag is: misp-galaxy:atrm="AZT601.5 - Automation Account Runbook"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5 |
AZT602 - Steal Service Principal Certificate
If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.
The tag is: misp-galaxy:atrm="AZT602 - Steal Service Principal Certificate"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1 |
AZT603 - Service Principal Secret Reveal
If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal’s secret in plain text.
The tag is: misp-galaxy:atrm="AZT603 - Service Principal Secret Reveal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1 |
AZT604 - Azure KeyVault Dumping
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
The tag is: misp-galaxy:atrm="AZT604 - Azure KeyVault Dumping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604 |
AZT604.1 - Azure KeyVault Secret Dump
By accessing an Azure Key Vault, an adversary may dump any or all secrets.
The tag is: misp-galaxy:atrm="AZT604.1 - Azure KeyVault Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1 |
AZT604.2 - Azure KeyVault Certificate Dump
By accessing an Azure Key Vault, an adversary may dump any or all certificates.
The tag is: misp-galaxy:atrm="AZT604.2 - Azure KeyVault Certificate Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2 |
AZT604.3 - Azure KeyVault Key Dump
By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.
The tag is: misp-galaxy:atrm="AZT604.3 - Azure KeyVault Key Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3 |
AZT605 - Resource Secret Reveal
An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.
The tag is: misp-galaxy:atrm="AZT605 - Resource Secret Reveal"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605 |
AZT605.1 - Storage Account Access Key Dumping
By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.
The tag is: misp-galaxy:atrm="AZT605.1 - Storage Account Access Key Dumping"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1 |
AZT605.2 - Automation Account Credential Secret Dump
By editing a Runbook, a credential configured in an Automation Account may be revealed
The tag is: misp-galaxy:atrm="AZT605.2 - Automation Account Credential Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2 |
AZT605.3 - Resource Group Deployment History Secret Dump
By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.
The tag is: misp-galaxy:atrm="AZT605.3 - Resource Group Deployment History Secret Dump"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3 |
AZT701 - SAS URI Generation
By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.
The tag is: misp-galaxy:atrm="AZT701 - SAS URI Generation"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701 |
AZT701.1 - VM Disk SAS URI
An adversary may create an SAS URI to download the disk attached to a virtual machine.
The tag is: misp-galaxy:atrm="AZT701.1 - VM Disk SAS URI"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-1 |
AZT701.2 - Storage Account File Share SAS
By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.
The tag is: misp-galaxy:atrm="AZT701.2 - Storage Account File Share SAS"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT701/AZT701-2 |
AZT702 - File Share Mounting
An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.
The tag is: misp-galaxy:atrm="AZT702 - File Share Mounting"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT702/AZT702-1 |
AZT703 - Replication
The tag is: misp-galaxy:atrm="AZT703 - Replication"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT703/AZT703-1 |
AZT704 - Soft-Delete Recovery
An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted
The tag is: misp-galaxy:atrm="AZT704 - Soft-Delete Recovery"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704 |
AZT704.1 - Key Vault
An adversary may recover a key vault object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.1 - Key Vault"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-1 |
AZT704.2 - Storage Account Object
An adversary may recover a storage account object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.2 - Storage Account Object"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-2 |
AZT704.3 - Recovery Services Vault
An adversary may recover a virtual machine object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT704.3 - Recovery Services Vault"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3 |
AZT705 - Azure Backup Delete
An adversary may recover a virtual machine object found in a 'soft deletion' state.
The tag is: misp-galaxy:atrm="AZT705 - Azure Backup Delete"
Links |
https://microsoft.github.io/Azure-Threat-Research-Matrix/Impact/AZT704/AZT704-3 |
attck4fraud
attck4fraud - Principles of MITRE ATT&CK in the fraud domain.
attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Francesco Bigarella - Christophe Vandeplas
Phishing
In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.
The tag is: misp-galaxy:financial-fraud="Phishing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Spear phishing
Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.
The tag is: misp-galaxy:financial-fraud="Spear phishing"
Spear phishing is also known as:
-
Spear-phishing
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
ATM skimming
ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.
The tag is: misp-galaxy:financial-fraud="ATM skimming"
ATM skimming is also known as:
-
Skimming - CPP ATM
ATM cash trapping
Trap the cash dispenser with a physical component. Type 1 are visible to the user and type 2 are hidden in the cash dispenser
The tag is: misp-galaxy:financial-fraud="ATM cash trapping"
ATM cash trapping is also known as:
-
Cash Trapping
Links |
https://medium.com/@netsentries/beware-of-atm-cash-trapping-9421e498dfcf |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
ATM Shimming
ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.
The tag is: misp-galaxy:financial-fraud="ATM Shimming"
Vishing
Also known as voice phishing, is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organisation.
The tag is: misp-galaxy:financial-fraud="Vishing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
POS Skimming
CPP analysis identifies the likely merchant, POS or ATM location from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.
The tag is: misp-galaxy:financial-fraud="POS Skimming"
POS Skimming is also known as:
-
Skimming - CPP POS
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Malware
Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.
The tag is: misp-galaxy:financial-fraud="Malware"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Account-Checking Services
Account-Checking Services
The tag is: misp-galaxy:financial-fraud="Account-Checking Services"
ATM Black Box Attack
Type of Jackpotting attack. Connection of an unauthorized device which sends dispense commands directly to the ATM cash dispenser in order to “cash out” the ATM.
The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"
ATM Black Box Attack is also known as:
-
Black Box Attack
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Investment Fraud
A deceptive practice in the stock or commodities markets that induces investors to make purchase or sale decisions on the basis of false information, frequently resulting in losses, in violation of securities laws.
The tag is: misp-galaxy:financial-fraud="Investment Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Romance Scam
Romance scam is a confidence trick involving feigning romantic intentions towards a victim, gaining their affection, and then using that goodwill to commit fraud. Fraudulent acts may involve access to the victim’s money, bank accounts, credit cards, passports, e-mail accounts, or national identification numbers; or forcing the victims to commit financial fraud on their behalf.
The tag is: misp-galaxy:financial-fraud="Romance Scam"
Romance Scam is also known as:
-
Romance Fraud
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Buying/Renting Fraud
Buying/Renting Fraud
The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"
Fake Invoice Fraud
Invoice fraud happens when a company or organisation is tricked into changing bank account payee details for a payment. Criminals pose as regular suppliers to the company or organisation and will make a formal request for bank account details to be changed or emit false invoices.
The tag is: misp-galaxy:financial-fraud="Fake Invoice Fraud"
Fake Invoice Fraud is also known as:
-
Invoice Fraud
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Business Email Compromise
Business Email Compromise
The tag is: misp-galaxy:financial-fraud="Business Email Compromise"
Compromised Payment Cards
The loss of or theft of a card, which is subsequently used for illegal purposes until blocked by the card issuer.
The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"
Compromised Payment Cards is also known as:
-
Lost/Stolen Card
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Compromised Account Credentials
Account takeover fraud is a form of identity theft in which the fraudster gets access to a victim’s bank or credit card accounts — through a data breach, malware or phishing — and uses them to make unauthorised transaction.
The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"
Compromised Account Credentials is also known as:
-
Account Takeover Fraud
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Compromised Personally Identifiable Information (PII)
Compromised Personally Identifiable Information (PII)
The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"
Compromised Intellectual Property (IP)
Compromised Intellectual Property (IP)
The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"
Cryptocurrency Exchange
Cryptocurrency Exchange
The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"
ATM Explosive Attack
ATM Explosive Attack
The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"
CNP – Card Not Present
A card not present transaction (CNP, MO/TO, Mail Order / Telephone Order, MOTOEC) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant’s visual examination at the time that an order is given and payment effected
The tag is: misp-galaxy:financial-fraud="CNP – Card Not Present"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
CP – Card Present
A card present transaction occurs when a cardholder physically presents a card to request and authorise a financial transaction
The tag is: misp-galaxy:financial-fraud="CP – Card Present"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Merchant Fraud
Fraud that occurs when a merchant account is used without the intention of operating a legitimate business transaction.
The tag is: misp-galaxy:financial-fraud="Merchant Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Virtual Currency Fraud
Fraud that involves virtual currency, or virtual money, which is a type of unregulated, digital money, issued and usually controlled by its developers and used and accepted among the members of a specific virtual community.
The tag is: misp-galaxy:financial-fraud="Virtual Currency Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Cheque Fraud
A category of criminal acts that involve making the unlawful use of cheques in order to illegally acquire or borrow funds that do not exist within the account balance or account-holder’s legal ownership. Most methods involve taking advantage the time between the negotiation of the cheque and its clearance at the cheque writer’s financial institution to draw out these funds.
The tag is: misp-galaxy:financial-fraud="Cheque Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Digital Fraud
Fraud perpetrated via omni- channel means to digital banking or payments channels such as home banking or other electronic services.
The tag is: misp-galaxy:financial-fraud="Digital Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Mobile Fraud
Fraud perpetrated via mobile devices to digital banking, payments channels such as home banking or other electronic services, or online merchants
The tag is: misp-galaxy:financial-fraud="Mobile Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Telephone Fraud
Fraud perpetrated via land line telephone means to banking or payments channels such as home banking or other electronic services or merchants
The tag is: misp-galaxy:financial-fraud="Telephone Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Standing Order Fraud
Fraud occurs when a standing order is falsely created or adulterated. A standing order is an automated method of making payments, where a person or business instructs their bank to pay another person or business, a fixed amount of money at regular intervals. Fraud occurs when a standing order is falsely created or adulterated.
The tag is: misp-galaxy:financial-fraud="Standing Order Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
CEO/BEC Fraud
A scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential information
The tag is: misp-galaxy:financial-fraud="CEO/BEC Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Money laundering
An illegal process of concealing the origins of money obtained illegally by passing it through a complex sequence of banking transfers or commercial transactions. The overall scheme of this process returns the money to the launderer in an obscure and indirect way.
The tag is: misp-galaxy:financial-fraud="Money laundering"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
BIN Attack
Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers
The tag is: misp-galaxy:financial-fraud="BIN Attack"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
DoS - Denial of Service Attack
In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet
The tag is: misp-galaxy:financial-fraud="DoS - Denial of Service Attack"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
MITM - Man-in-the-Middle Attack
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other
The tag is: misp-galaxy:financial-fraud="MITM - Man-in-the-Middle Attack"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Transaction Reversal Fraud
Unauthorized physical manipulation of ATM cash withdrawal. Appears that cash has not been dispensed – a reversal message generated – SEE FULL TERMINAL FRAUD DEFINITION
The tag is: misp-galaxy:financial-fraud="Transaction Reversal Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Transaction Message Adulteration
The data contained in an authorisation message is manipulated to try to fool the payment processor.
The tag is: misp-galaxy:financial-fraud="Transaction Message Adulteration"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
First Party (Friendly) Fraud
Fraud committed against a financial institution by one of its own customers
The tag is: misp-galaxy:financial-fraud="First Party (Friendly) Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Identity Spoofing (or entity hacking)
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity
The tag is: misp-galaxy:financial-fraud="Identity Spoofing (or entity hacking)"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Authorised Push Payment Fraud
A form of fraud in which victims are manipulated into making real-time payments to fraudsters, typically by social engineering attacks involving impersonation.
The tag is: misp-galaxy:financial-fraud="Authorised Push Payment Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Direct Debit Fraud
Direct debit fraud can take place in several ways. It is often associated with identity theft, where the scammer gains access to the bank account information by posing as the victim. They can pay for services and products via a direct debit option and use this account until its owner notices.
The tag is: misp-galaxy:financial-fraud="Direct Debit Fraud"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Extortion
Obtaining benefit through coercion
The tag is: misp-galaxy:financial-fraud="Extortion"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Smishing
Also known as "SMS Phishing", is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver information and/or requests to induce people to divulge or to take action that will compromise their personal or confidential information.
The tag is: misp-galaxy:financial-fraud="Smishing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Shoulder Surfing
Technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim’s shoulder
The tag is: misp-galaxy:financial-fraud="Shoulder Surfing"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Distraction
The process of diverting the attention of an individual or group from a desired area of focus and thereby blocking or diminishing the reception of desired information.
The tag is: misp-galaxy:financial-fraud="Distraction"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Push Payments
Authorised push payment fraud happens when fraudsters deceive consumers or individuals at a business to send them a payment under false pretences to a bank account controlled by the fraudster. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned.
The tag is: misp-galaxy:financial-fraud="Push Payments"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
ATM Malware
Unauthorised software, or authorises software run in an unauthorized manner on ATM PC - SEE FULL TERMINAL FRAUD DEFINITION
The tag is: misp-galaxy:financial-fraud="ATM Malware"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Data Breach
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used from a PC or Computer Network by an entity unauthorised to do so.
The tag is: misp-galaxy:financial-fraud="Data Breach"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Ransomware
A type of malicious software designed to block access to a computer system until a sum of money is paid
The tag is: misp-galaxy:financial-fraud="Ransomware"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Fake Website
A website that is not a legitimate venue, the site is designed to entice the visitor into revealing sensitive information, to download some form of malware or to purchase products that never arrive
The tag is: misp-galaxy:financial-fraud="Fake Website"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Fake App
Apps in mobile devices that trick users into downloading them. They may also pose as quirky and attractive apps, providing interesting services. Once installed on a mobile device, fake apps can perform a variety of malicious routines.
The tag is: misp-galaxy:financial-fraud="Fake App"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
e-Skimming
Cyber criminals introduce skimming code on e-commerce payment card processing web pages to capture credit card and personally identifiable information and send the stolen data to a domain under their control.
The tag is: misp-galaxy:financial-fraud="e-Skimming"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Skimming - CPP UPT
CPP analysis identifies Payment Terminal parking, transport, fuel, etc. locations, from where card numbers were stolen so that banks can mitigate fraud on other compromised cards.
The tag is: misp-galaxy:financial-fraud="Skimming - CPP UPT"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Skimming - CPP Virtual Terminal
Same as e-Skimming
The tag is: misp-galaxy:financial-fraud="Skimming - CPP Virtual Terminal"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Card Trapping
Unauthorized physical ATM manipulation, preventing card from being returned to customer - SEE FULL TERMINAL FRAUD DEFINITION
The tag is: misp-galaxy:financial-fraud="Card Trapping"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Lack of Patching / Security
Patch management is the best practice of upgrading existing software applications to remove any weak security patches that could be exploited by hackers. Lack of proper patching allows cyber criminals to exploit systems and networks.
The tag is: misp-galaxy:financial-fraud="Lack of Patching / Security"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Bad implementation
Process where an information system is deployed into a Production Environed with faults, errors or vulnerabilities
The tag is: misp-galaxy:financial-fraud="Bad implementation"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Deployment Error
Implementation of a system, solution or service not according to defined and tested best practices.
The tag is: misp-galaxy:financial-fraud="Deployment Error"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Merchant Negligence
Merchants not following best practice procedures to avoid criminal or fraudulent activity,
The tag is: misp-galaxy:financial-fraud="Merchant Negligence"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Implementation not according to Standards
Implementation of a sstem, solution or service not according to defined and tested standards
The tag is: misp-galaxy:financial-fraud="Implementation not according to Standards"
Links |
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/ |
Backdoor
A list of backdoor malware..
Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
raw-data
WellMess
Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.
The tag is: misp-galaxy:backdoor="WellMess"
WellMess has relationships with:
-
similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"
Links |
Rosenbridge
The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.
While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.
The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.
The tag is: misp-galaxy:backdoor="Rosenbridge"
Links |
ServHelper
The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.
"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.
The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.
The tag is: misp-galaxy:backdoor="ServHelper"
Links |
Rising Sun
The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.
The tag is: misp-galaxy:backdoor="Rising Sun"
Links |
https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/ |
SLUB
A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.
The tag is: misp-galaxy:backdoor="SLUB"
SLUB has relationships with:
-
similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"
Links |
Asruex
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.
The tag is: misp-galaxy:backdoor="Asruex"
Links |
Speculoos
FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.
The tag is: misp-galaxy:backdoor="Speculoos"
Speculoos has relationships with:
-
used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"
Links |
Mori Backdoor
Mori Backdoor has been used by Seedworm.
The tag is: misp-galaxy:backdoor="Mori Backdoor"
Links |
BazarBackdoor
Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.
The tag is: misp-galaxy:backdoor="BazarBackdoor"
BazarBackdoor is also known as:
-
BEERBOT
-
KEGTAP
-
Team9Backdoor
-
bazaloader
-
bazarloader
-
bazaarloader
Links |
https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/ |
SUNBURST
Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.
The tag is: misp-galaxy:backdoor="SUNBURST"
SUNBURST is also known as:
-
Solarigate
SUNBURST has relationships with:
-
dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"
Links |
https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/ |
BPFDoor
BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant
The tag is: misp-galaxy:backdoor="BPFDoor"
Links |
https://twitter.com/CraigHRowland/status/1523266585133457408 |
BOLDMOVE
According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).
The tag is: misp-galaxy:backdoor="BOLDMOVE"
VEILEDSIGNAL
VEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally, VEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the Command and Control(C2) infrastructure.
The tag is: misp-galaxy:backdoor="VEILEDSIGNAL"
Links |
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise |
POOLRAT
POOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands. The commands performed include running arbitrary commands, secure deleting files, reading and writing files, updating the configuration.
The tag is: misp-galaxy:backdoor="POOLRAT"
Links |
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise |
BIGRAISIN
BIGRAISIN is a C\C++ Windows based backdoor. It is capable of executing downloaded commands, executing downloaded files, and deleting files. Availability: Non-public
The tag is: misp-galaxy:backdoor="BIGRAISIN"
BIGRAISIN has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
FASTFIRE
FASTFIRE is a malicious APK that connects to a server and sends details of the compromised device back to command and control (C2). Availability: Non-public
The tag is: misp-galaxy:backdoor="FASTFIRE"
FASTFIRE has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
GRAYZONE
GRAYZONE is a C/C++ Windows backdoor capable of collecting system information, logging keystrokes, and downloading additional stages from the C2 server. Availability: Non-public
The tag is: misp-galaxy:backdoor="GRAYZONE"
GRAYZONE has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
HANGMAN.V2
HANGMAN.V2 is a variant of the backdoor HANGMAN. HANGMAN.V2 is very similar to HANGMAN, but uses HTTP for the network communications and formats data passed to the C2 server differently. Availability: Non-public
The tag is: misp-galaxy:backdoor="HANGMAN.V2"
HANGMAN.V2 has relationships with:
-
variant-of: misp-galaxy:malpedia="HOPLIGHT" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
LOGCABIN
LOGCABIN is a file-less and modular backdoor with multiple stages. The stages consist of several VisualBasic and PowerShell scripts that are downloaded and executed. LOGCABIN collects detailed system information and sends it to the C2 before performing additional commands. Availability: Non-public
The tag is: misp-galaxy:backdoor="LOGCABIN"
LOGCABIN has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
SOURDOUGH
SOURDOUGH is a backdoor written in C that communicates via HTTP. Its capabilities include keylogging, screenshot capture, file transfer, file execution, and directory enumeration. Availability: Non-public
The tag is: misp-galaxy:backdoor="SOURDOUGH"
SOURDOUGH has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
TROIBOMB
TROIBOMB is a C/C++ Windows backdoor that is capable of collecting system information and performing commands from the C2 server. Availability: Non-public
The tag is: misp-galaxy:backdoor="TROIBOMB"
TROIBOMB has relationships with:
-
used-by: misp-galaxy:threat-actor="APT43" with estimative-language:likelihood-probability="likely"
Links |
ZIPLINE
ZIPLINE makes use of extensive functionality to ensure the authentication of its custom protocol used to establish command and control (C2).
The tag is: misp-galaxy:backdoor="ZIPLINE"
Links |
https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation |
SPAWNSNAIL
SPAWNSNAIL is a backdoor that listens on localhost. It is designed to run by injecting into the dsmdm process (process responsible for supporting mobile device management features). It creates a backdoor by exposing a limited SSH server on localhost port 8300. We assess that the attacker uses the SPAWNMOLE tunneler to interact with SPAWNSNAIL.
SPAWNSNAIL’s second purpose is to inject SPAWNSLOTH into dslogserver, a process supporting event logging on Connect Secure.
The tag is: misp-galaxy:backdoor="SPAWNSNAIL"
SPAWNSNAIL has relationships with:
-
used-by: misp-galaxy:threat-actor="UNC5337" with estimative-language:likelihood-probability="likely"
-
preceded-by: misp-galaxy:tool="SPAWNANT" with estimative-language:likelihood-probability="likely"
-
interacts-with: misp-galaxy:tool="SPAWNMOLE" with estimative-language:likelihood-probability="likely"
-
injects: misp-galaxy:tool="SPAWNSLOTH" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
BRICKSTORM
BRICKSTORM is a Go backdoor targeting VMware vCenter servers. It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying. BRICKSTORM communicates over WebSockets to a hard-coded C2.
The tag is: misp-galaxy:backdoor="BRICKSTORM"
BRICKSTORM has relationships with:
-
used-by: misp-galaxy:threat-actor="UTA0178" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
PHANTOMNET
PHANTOMNET is a modular backdoor that communicates using a custom communication protocol over TCP. PHANTOMNET’s core functionality involves expanding its capabilities through a plugin management system. The downloaded plugins are mapped directly into memory and executed.
The tag is: misp-galaxy:backdoor="PHANTOMNET"
PHANTOMNET has relationships with:
-
is-deployed-by: misp-galaxy:threat-actor="UNC5330" with estimative-language:likelihood-probability="likely"
-
executed-by: misp-galaxy:tool="TONERJAM" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
TERRIBLETEA
TERRIBLETEA is a Go backdoor that communicates over HTTP using XXTEA for encrypted communications. It is built using multiple open-source Go modules and has a multitude of capabilities including Command execution, Keystroke logging, SOCKS5 proxy, Port scanning, File system interaction, SQL query execution, Screen captures, Ability to open a new SSH session, execute commands, and upload files to a remote server.
The tag is: misp-galaxy:backdoor="TERRIBLETEA"
TERRIBLETEA has relationships with:
-
is-deployed-by : misp-galaxy:threat-actor="UNC5266" with estimative-language:likelihood-probability="likely"
Links |
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement |
Merdoor
Merdoor is a fully-featured backdoor that appears to have been in existence since 2018. The backdoor contains the following functionality: Installing itself as a service, Keylogging, A variety of methods to communicate with its command-and-control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP), Ability to listen on a local port for commands Instances of the Merdoor backdoor are usually identical with the exception of embedded and encrypted configuration, which determines: C&C communication method, Service details, Installation directory Typically, the backdoor is injected into the legitimate processes perfhost.exe or svchost.exe.
The tag is: misp-galaxy:backdoor="Merdoor"
Links |
Banker
A list of banker malware..
Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Unknown - raw-data
Zeus
Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.
The tag is: misp-galaxy:banker="Zeus"
Zeus is also known as:
-
Zbot
Zeus has relationships with:
-
similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"
Links |
https://usa.kaspersky.com/resource-center/threats/zeus-virus |
Vawtrak
Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.
The tag is: misp-galaxy:banker="Vawtrak"
Vawtrak is also known as:
-
Neverquest
Vawtrak has relationships with:
-
similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"
Dridex
Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.
The tag is: misp-galaxy:banker="Dridex"
Dridex is also known as:
-
Feodo Version D
-
Cridex
Dridex has relationships with:
-
similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"
Links |
Gozi
Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010
The tag is: misp-galaxy:banker="Gozi"
Gozi is also known as:
-
Ursnif
-
CRM
-
Snifula
-
Papras
Gozi has relationships with:
-
similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"
Links |
https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 |
Goziv2
Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.
The tag is: misp-galaxy:banker="Goziv2"
Goziv2 is also known as:
-
Prinimalka
Links |
Gozi ISFB
Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.
The tag is: misp-galaxy:banker="Gozi ISFB"
Gozi ISFB has relationships with:
-
similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"
Links |
https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature |
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak |
Dreambot
Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.
The tag is: misp-galaxy:banker="Dreambot"
Links |
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality |
IAP
Gozi ISFB variant
The tag is: misp-galaxy:banker="IAP"
IAP has relationships with:
-
similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"
Links |
GozNym
GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.
The tag is: misp-galaxy:banker="GozNym"
Links |
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/ |
Zloader Zeus
Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Zloader Zeus"
Zloader Zeus is also known as:
-
Zeus Terdot
Zloader Zeus has relationships with:
-
similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"
Links |
https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle |
Zeus VM
Zeus variant that utilizes steganography in image files to retrieve configuration file.
The tag is: misp-galaxy:banker="Zeus VM"
Zeus VM is also known as:
-
VM Zeus
Zeus VM has relationships with:
-
similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/ |
Zeus Sphinx
Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.
The tag is: misp-galaxy:banker="Zeus Sphinx"
Zeus Sphinx has relationships with:
-
similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/ |
Panda Banker
Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Panda Banker"
Panda Banker is also known as:
-
Zeus Panda
Links |
https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market |
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf |
Zeus KINS
Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.
The tag is: misp-galaxy:banker="Zeus KINS"
Zeus KINS is also known as:
-
Kasper Internet Non-Security
-
Maple
Zeus KINS has relationships with:
-
similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"
Links |
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/ |
Chthonic
Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
The tag is: misp-galaxy:banker="Chthonic"
Chthonic is also known as:
-
Chtonic
Chthonic has relationships with:
-
similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/ |
Trickbot
Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan
The tag is: misp-galaxy:banker="Trickbot"
Trickbot is also known as:
-
Trickster
-
Trickloader
Trickbot has relationships with:
-
similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"
Dyre
Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.
The tag is: misp-galaxy:banker="Dyre"
Dyre is also known as:
-
Dyreza
Dyre has relationships with:
-
similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"
Links |
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/ |
Tinba
Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.
The tag is: misp-galaxy:banker="Tinba"
Tinba is also known as:
-
Zusy
-
TinyBanker
-
illi
Tinba has relationships with:
-
similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"
Geodo
Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.
The tag is: misp-galaxy:banker="Geodo"
Geodo is also known as:
-
Feodo Version C
-
Emotet
Geodo has relationships with:
-
similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/ |
https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet |
Feodo
Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Feodo"
Feodo is also known as:
-
Bugat
-
Cridex
Feodo has relationships with:
-
similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"
Links |
http://stopmalvertising.com/rootkits/analysis-of-cridex.html |
Ramnit
Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.
The tag is: misp-galaxy:banker="Ramnit"
Ramnit is also known as:
-
Nimnul
Ramnit has relationships with:
-
similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"
Links |
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/ |
Qakbot
Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.
The tag is: misp-galaxy:banker="Qakbot"
Qakbot is also known as:
-
Qbot
-
Pinkslipbot
-
Akbot
Qakbot has relationships with:
-
similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"
Corebot
Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Corebot"
Corebot has relationships with:
-
similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"
Links |
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/ |
TinyNuke
TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="TinyNuke"
TinyNuke is also known as:
-
NukeBot
-
Nuclear Bot
-
MicroBankingTrojan
-
Xbot
TinyNuke has relationships with:
-
similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:threat-actor="Kimsuky" with estimative-language:likelihood-probability="likely"
Retefe
Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.
The tag is: misp-galaxy:banker="Retefe"
Retefe is also known as:
-
Tsukuba
-
Werdlod
Retefe has relationships with:
-
similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"
ReactorBot
ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.
The tag is: misp-galaxy:banker="ReactorBot"
ReactorBot has relationships with:
-
similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"
Matrix Banker
Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.
The tag is: misp-galaxy:banker="Matrix Banker"
Matrix Banker has relationships with:
-
similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"
Links |
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/ |
Zeus Gameover
Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.
The tag is: misp-galaxy:banker="Zeus Gameover"
Links |
SpyEye
SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="SpyEye"
Links |
https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf |
https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot |
Citadel
Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.
The tag is: misp-galaxy:banker="Citadel"
Citadel has relationships with:
-
similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"
Links |
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/ |
Atmos
Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.
The tag is: misp-galaxy:banker="Atmos"
Links |
https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/ |
Ice IX
Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.
The tag is: misp-galaxy:banker="Ice IX"
Ice IX has relationships with:
-
similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ] |
Zitmo
Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.
The tag is: misp-galaxy:banker="Zitmo"
Links |
https://securelist.com/zeus-in-the-mobile-for-android-10/29258/ |
Licat
Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011
The tag is: misp-galaxy:banker="Licat"
Licat is also known as:
-
Murofet
Licat has relationships with:
-
similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"
Links |
https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/ |
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A |
Skynet
Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.
The tag is: misp-galaxy:banker="Skynet"
Links |
https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/ |
IcedID
According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.
The tag is: misp-galaxy:banker="IcedID"
IcedID is also known as:
-
BokBot
IcedID has relationships with:
-
similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"
GratefulPOS
GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.
The tag is: misp-galaxy:banker="GratefulPOS"
GratefulPOS has relationships with:
-
similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"
Links |
Dok
A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.
The tag is: misp-galaxy:banker="Dok"
Dok has relationships with:
-
similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"
Links |
downAndExec
Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.
The tag is: misp-galaxy:banker="downAndExec"
Links |
https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/ |
Smominru
Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.
The tag is: misp-galaxy:banker="Smominru"
Smominru is also known as:
-
Ismo
-
lsmo
Smominru has relationships with:
-
similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"
Links |
DanaBot
It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)
The tag is: misp-galaxy:banker="DanaBot"
DanaBot has relationships with:
-
similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"
Links |
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0 |
Backswap
The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload
The tag is: misp-galaxy:banker="Backswap"
Links |
https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/ |
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/ |
Bebloh
The tag is: misp-galaxy:banker="Bebloh"
Bebloh is also known as:
-
URLZone
-
Shiotob
Bebloh has relationships with:
-
similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security-center/writeup/2011-041411-0912-99 |
Banjori
The tag is: misp-galaxy:banker="Banjori"
Banjori is also known as:
-
MultiBanker 2
-
BankPatch
-
BackPatcher
Banjori has relationships with:
-
similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"
Links |
Qadars
The tag is: misp-galaxy:banker="Qadars"
Qadars has relationships with:
-
similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"
Links |
https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/ |
Ranbyus
The tag is: misp-galaxy:banker="Ranbyus"
Ranbyus has relationships with:
-
similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"
Links |
Fobber
The tag is: misp-galaxy:banker="Fobber"
Fobber has relationships with:
-
similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"
Links |
Karius
Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.
The tag is: misp-galaxy:banker="Karius"
Karius has relationships with:
-
similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"
Links |
https://research.checkpoint.com/banking-trojans-development/ |
Kronos
Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.
The tag is: misp-galaxy:banker="Kronos"
Kronos has relationships with:
-
similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/ |
CamuBot
A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.
The tag is: misp-galaxy:banker="CamuBot"
CamuBot has relationships with:
-
similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"
Dark Tequila
Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.
The tag is: misp-galaxy:banker="Dark Tequila"
Links |
https://thehackernews.com/2018/08/mexico-banking-malware.html |
Malteiro
Distributed by Malteiro
The tag is: misp-galaxy:banker="Malteiro"
Malteiro is also known as:
-
URSA
Malteiro has relationships with:
-
delivered-by: misp-galaxy:threat-actor="Malteiro" with estimative-language:likelihood-probability="likely"
Links |
Bhadra Framework
Bhadra Threat Modeling Framework.
Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura
Attacks from UE
"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.
The tag is: misp-galaxy:bhadra-framework="Attacks from UE"
SIM-based attacks
The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.
The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"
Attacks from radio access network
The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.
The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"
Attacks from other mobile network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"
Attacks with access to transport network
The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes
The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"
Attacks from IP-based network
The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.
The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"
Insider attacks and human errors
The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.
The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"
Infecting UE hardware or software
Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.
The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"
Infecting SIM cards
Retaining the foothold gained on the target system through the initial access by infecting SIM cards.
The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"
Spoofed radio network
Retaining the foothold gained on the target system through the initial access by radio network spoofing.
The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"
Infecting network nodes
Retaining the foothold gained on the target system through the initial access by infecting network nodes.
The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"
Covert channels
Retaining the foothold gained on the target system through the initial access via covert channels.
The tag is: misp-galaxy:bhadra-framework="Covert channels"
Port scanning or sweeping
"Port scanning or sweeping" techniques to probe servers or hosts with open ports.
The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"
Perimeter mapping
"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.
The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"
Threat intelligence gathering
"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.
The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"
CN-specific scanning
"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).
The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"
Internal resource search
"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.
The tag is: misp-galaxy:bhadra-framework="Internal resource search"
UE knocking
"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.
The tag is: misp-galaxy:bhadra-framework="UE knocking"
Exploit roaming agreements
"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.
The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"
Abusing interworking functionalities
"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally
The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"
Exploit platform & service-specific vulnerabilities
Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.
The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"
SS7-based-attacks
Attacks abusing the SS7 protocol.
The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"
Diameter-based attacks
Attacks abusing the Diameter protocol.
The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"
GTP-based attacks
Attacks abusing the GTP protocol.
The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"
Pre-AKA attacks
Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.
The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"
Security audit camouflage
The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.
The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"
Blacklist evasion
Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.
The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"
Middlebox misconfiguration exploits
NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.
The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"
Bypass Firewall
Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.
The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"
Bypass homerouting
SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.
The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"
Downgrading
Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.
The tag is: misp-galaxy:bhadra-framework="Downgrading"
Redirection
Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.
The tag is: misp-galaxy:bhadra-framework="Redirection"
UE Protection evasion
Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.
The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"
Admin credentials
Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.
The tag is: misp-galaxy:bhadra-framework="Admin credentials"
User-specific identifiers
User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case
The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"
User-specific data
Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).
The tag is: misp-galaxy:bhadra-framework="User-specific data"
Network-specific identifiers
Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks
The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"
Network-specific data
Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents
The tag is: misp-galaxy:bhadra-framework="Network-specific data"
Location tracking
Attacker is able to track the location of the target end-user.
The tag is: misp-galaxy:bhadra-framework="Location tracking"
Calls eavesdropping
Attacker is able to eavesdrop on calls.
The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"
SMS interception
Attacker is able to intercept SMS messages.
The tag is: misp-galaxy:bhadra-framework="SMS interception"
Data interception
Attacker is able to intercept or modify internet traffic.
The tag is: misp-galaxy:bhadra-framework="Data interception"
Billing frauds
Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.
The tag is: misp-galaxy:bhadra-framework="Billing frauds"
DoS - network
The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.
The tag is: misp-galaxy:bhadra-framework="DoS - network"
DoS - user
The attacker can cause denial of service to mobile users.
The tag is: misp-galaxy:bhadra-framework="DoS - user"
Identity-related attacks
Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.
The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"
Botnet
botnet galaxy.
Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
- authors
-
Various
ADB.miner
A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.
The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.
Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.
The tag is: misp-galaxy:botnet="ADB.miner"
Links |
https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/ |
Bagle
Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.
The tag is: misp-galaxy:botnet="Bagle"
Bagle is also known as:
-
Beagle
-
Mitglieder
-
Lodeight
Bagle has relationships with:
-
similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"
Links |
Marina Botnet
Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.
The tag is: misp-galaxy:botnet="Marina Botnet"
Marina Botnet is also known as:
-
Damon Briant
-
BOB.dc
-
Cotmonger
-
Hacktool.Spammer
-
Kraken
Marina Botnet has relationships with:
-
similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"
Links |
Torpig
Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.
The tag is: misp-galaxy:botnet="Torpig"
Torpig is also known as:
-
Sinowal
-
Anserin
Torpig has relationships with:
-
similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"
Links |
Storm
The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.
The tag is: misp-galaxy:botnet="Storm"
Storm is also known as:
-
Nuwar
-
Peacomm
-
Zhelatin
-
Dorf
-
Ecard
Links |
Rustock
The tag is: misp-galaxy:botnet="Rustock"
Rustock is also known as:
-
RKRustok
-
Costrat
Rustock has relationships with:
-
similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"
Links |
Donbot
The tag is: misp-galaxy:botnet="Donbot"
Donbot is also known as:
-
Buzus
-
Bachsoy
Donbot has relationships with:
-
similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"
Links |
Cutwail
The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo
The tag is: misp-galaxy:botnet="Cutwail"
Cutwail is also known as:
-
Pandex
-
Mutant
Cutwail has relationships with:
-
similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"
Links |
Akbot
Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.
The tag is: misp-galaxy:botnet="Akbot"
Akbot has relationships with:
-
similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
Links |
Srizbi
Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.
The tag is: misp-galaxy:botnet="Srizbi"
Srizbi is also known as:
-
Cbeplay
-
Exchanger
Links |
Lethic
The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.
The tag is: misp-galaxy:botnet="Lethic"
Lethic has relationships with:
-
similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"
Links |
Xarvester
The tag is: misp-galaxy:botnet="Xarvester"
Xarvester is also known as:
-
Rlsloup
-
Pixoliz
Links |
Sality
Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.
The tag is: misp-galaxy:botnet="Sality"
Sality is also known as:
-
Sector
-
Kuku
-
Sality
-
SalLoad
-
Kookoo
-
SaliCode
-
Kukacka
Sality has relationships with:
-
similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"
Links |
Mariposa
The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.
The tag is: misp-galaxy:botnet="Mariposa"
Links |
Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.
The tag is: misp-galaxy:botnet="Conficker"
Conficker is also known as:
-
DownUp
-
DownAndUp
-
DownAdUp
-
Kido
Conficker has relationships with:
-
similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"
Links |
Waledac
Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.
The tag is: misp-galaxy:botnet="Waledac"
Waledac is also known as:
-
Waled
-
Waledpak
Links |
Maazben
A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.
The tag is: misp-galaxy:botnet="Maazben"
Links |
https://www.symantec.com/connect/blogs/evaluating-botnet-capacity |
Gheg
Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).
The tag is: misp-galaxy:botnet="Gheg"
Gheg is also known as:
-
Tofsee
-
Mondera
Gheg has relationships with:
-
similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"
Links |
Nucrypt
The tag is: misp-galaxy:botnet="Nucrypt"
Links |
https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en |
Asprox
The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.
The tag is: misp-galaxy:botnet="Asprox"
Asprox is also known as:
-
Badsrc
-
Aseljo
-
Danmec
-
Hydraflux
Asprox has relationships with:
-
similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"
Links |
Spamthru
Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.
The tag is: misp-galaxy:botnet="Spamthru"
Spamthru is also known as:
-
Spam-DComServ
-
Covesmer
-
Xmiler
Links |
http://www.root777.com/security/analysis-of-spam-thru-botnet/ |
Gumblar
Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.
The tag is: misp-galaxy:botnet="Gumblar"
Links |
BredoLab
The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.
The tag is: misp-galaxy:botnet="BredoLab"
BredoLab is also known as:
-
Oficla
BredoLab has relationships with:
-
similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"
Links |
Grum
The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.
The tag is: misp-galaxy:botnet="Grum"
Grum is also known as:
-
Tedroo
-
Reddyb
Links |
Mega-D
The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.
The tag is: misp-galaxy:botnet="Mega-D"
Mega-D is also known as:
-
Ozdok
Links |
Kraken
The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.
The tag is: misp-galaxy:botnet="Kraken"
Kraken is also known as:
-
Kracken
Kraken has relationships with:
-
similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"
Links |
Festi
The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.
The tag is: misp-galaxy:botnet="Festi"
Festi is also known as:
-
Spamnost
Links |
Vulcanbot
Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.
The tag is: misp-galaxy:botnet="Vulcanbot"
Links |
LowSec
The tag is: misp-galaxy:botnet="LowSec"
LowSec is also known as:
-
LowSecurity
-
FreeMoney
-
Ring0.Tools
TDL4
Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).
The tag is: misp-galaxy:botnet="TDL4"
TDL4 is also known as:
-
TDSS
-
Alureon
TDL4 has relationships with:
-
similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"
Links |
Zeus
Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.
The tag is: misp-galaxy:botnet="Zeus"
Zeus is also known as:
-
Zbot
-
ZeuS
-
PRG
-
Wsnpoem
-
Gorhax
-
Kneber
Zeus has relationships with:
-
similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"
Links |
Kelihos
The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.
The tag is: misp-galaxy:botnet="Kelihos"
Kelihos is also known as:
-
Hlux
Kelihos has relationships with:
-
similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"
Links |
Ramnit
Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.
The tag is: misp-galaxy:botnet="Ramnit"
Ramnit has relationships with:
-
similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"
Links |
Zer0n3t
The tag is: misp-galaxy:botnet="Zer0n3t"
Zer0n3t is also known as:
-
Fib3rl0g1c
-
Zer0n3t
-
Zer0Log1x
Chameleon
The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).
The tag is: misp-galaxy:botnet="Chameleon"
Links |
Mirai
Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.
The tag is: misp-galaxy:botnet="Mirai"
Mirai has relationships with:
-
similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"
Links |
XorDDoS
XOR DDOS is a Linux trojan used to perform large-scale DDoS
The tag is: misp-galaxy:botnet="XorDDoS"
Links |
Satori
According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.
The tag is: misp-galaxy:botnet="Satori"
Satori is also known as:
-
Okiru
Satori has relationships with:
-
similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"
Links |
https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant |
BetaBot
The tag is: misp-galaxy:botnet="BetaBot"
BetaBot has relationships with:
-
similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"
Hajime
Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).
The tag is: misp-galaxy:botnet="Hajime"
Hajime has relationships with:
-
similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"
Links |
https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/ |
Muhstik
The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.
The tag is: misp-galaxy:botnet="Muhstik"
Links |
Hide and Seek
Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.
The tag is: misp-galaxy:botnet="Hide and Seek"
Hide and Seek is also known as:
-
HNS
-
Hide 'N Seek
Hide and Seek has relationships with:
-
similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"
Links |
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/ |
Mettle
Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.
The tag is: misp-galaxy:botnet="Mettle"
Links |
https://thehackernews.com/2018/05/botnet-malware-hacking.html |
Owari
IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED
The tag is: misp-galaxy:botnet="Owari"
Owari has relationships with:
-
similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"
Links |
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html |
Brain Food
Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.
The tag is: misp-galaxy:botnet="Brain Food"
Links |
Pontoeb
The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding
The tag is: misp-galaxy:botnet="Pontoeb"
Pontoeb is also known as:
-
N0ise
Links |
http://dataprotectioncenter.com/general/are-you-beta-testing-malware/ |
Trik Spam Botnet
The tag is: misp-galaxy:botnet="Trik Spam Botnet"
Trik Spam Botnet is also known as:
-
Trik Trojan
Links |
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/ |
Madmax
The tag is: misp-galaxy:botnet="Madmax"
Madmax is also known as:
-
Mad Max
Madmax has relationships with:
-
similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"
Links |
Pushdo
The tag is: misp-galaxy:botnet="Pushdo"
Pushdo has relationships with:
-
similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"
Links |
https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/ |
Simda
The tag is: misp-galaxy:botnet="Simda"
Simda has relationships with:
-
similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"
Links |
Virut
The tag is: misp-galaxy:botnet="Virut"
Virut has relationships with:
-
similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"
Links |
Bamital
The tag is: misp-galaxy:botnet="Bamital"
Bamital is also known as:
-
Mdrop-CSK
-
Agent-OCF
Gafgyt
Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
The tag is: misp-galaxy:botnet="Gafgyt"
Gafgyt is also known as:
-
Bashlite
Gafgyt has relationships with:
-
similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"
-
similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"
Links |
https://www.symantec.com/security-center/writeup/2014-100222-5658-99 |
Sora
Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.
The tag is: misp-galaxy:botnet="Sora"
Sora is also known as:
-
Mirai Sora
Sora has relationships with:
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
Links |
Torii
we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.
The tag is: misp-galaxy:botnet="Torii"
Torii has relationships with:
-
similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"
Links |
Persirai
A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.
The tag is: misp-galaxy:botnet="Persirai"
Persirai has relationships with:
-
similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"
Links |
Chalubo
Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.
The tag is: misp-galaxy:botnet="Chalubo"
Links |
AESDDoS
Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.
The tag is: misp-galaxy:botnet="AESDDoS"
Links |
Arceus
A set of DDoS botnet.
The tag is: misp-galaxy:botnet="Arceus"
Arceus is also known as:
-
Katura
-
MyraV
-
myra
Mozi
Mozi infects new devices through weak telnet passwords and exploitation.
The tag is: misp-galaxy:botnet="Mozi"
Links |
https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/ |
https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/ |
UPAS-Kit
UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.
The tag is: misp-galaxy:botnet="UPAS-Kit"
UPAS-Kit is also known as:
-
Rombrast
Phorpiex
Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.
The tag is: misp-galaxy:botnet="Phorpiex"
Phorpiex is also known as:
-
Trik
Links |
https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex |
DDG
First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).
The tag is: misp-galaxy:botnet="DDG"
DDG has relationships with:
-
similar: misp-galaxy:malpedia="DDG" with estimative-language:likelihood-probability="likely"
Glupteba
A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).
The tag is: misp-galaxy:botnet="Glupteba"
Links |
https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ |
Elknot
DDoS Botnet
The tag is: misp-galaxy:botnet="Elknot"
Elknot is also known as:
-
Linux/BillGates
-
BillGates
Links |
https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched |
Cyclops Blink
Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.
The tag is: misp-galaxy:botnet="Cyclops Blink"
Links |
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html |
EnemyBot
In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.
The tag is: misp-galaxy:botnet="EnemyBot"
EnemyBot has relationships with:
-
similar: misp-galaxy:malpedia="EnemyBot" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
-
variant-of: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"
Qbot
Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.
The tag is: misp-galaxy:botnet="Qbot"
Qbot is also known as:
-
QakBot
-
Pinkslipbot
Qbot has relationships with:
-
dropped: misp-galaxy:ransomware="ProLock" with estimative-language:likelihood-probability="likely"
-
used-by: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"
Dark.IoT
This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.
The tag is: misp-galaxy:botnet="Dark.IoT"
Dark.IoT has relationships with:
-
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
Links |
https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/ |
KmsdBot
Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.
The tag is: misp-galaxy:botnet="KmsdBot"
Links |
https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware |
HinataBot
Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.
The tag is: misp-galaxy:botnet="HinataBot"
HinataBot has relationships with:
-
similar: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
Links |
https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet |
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot |
3ve
3ve, pronounced as “Eve”, was a botnet that was halted in late 2018. 3ve utilized the malware packages Boaxxe and Kovter to infect a network of PCs. They were spread through emails and fake downloads, and once infected, the bots would generate fake clicks on online advertisements. The clicks would be used on fake websites, which hosted ads and then absorbed the ad revenue from the false impressions. Bots were able to mimic desktop and mobile traffic in order to evade detection, and went through several evolutions of tactics to grow over time. At its peak, the botnet controlled more than one million residential and corporate IP-addresses, largely within Europe and North America.
The tag is: misp-galaxy:botnet="3ve"
Links |
7777-Botnet
7777-Botnet has been observed brute forcing Microsoft Azure instances via Microsoft Azure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices, returning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry sectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of around 2–3 login requests per week, the botnet is able to evade most security solutions.
The tag is: misp-galaxy:botnet="7777-Botnet"
Links |
https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd |
Amadey
Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called tasks) for all or specifically targeted computers compromised by the malware.
The tag is: misp-galaxy:botnet="Amadey"
Links |
AndroidBauts
AndroidBauts botnet is a network of infected Android devices that are used for promoting advertisements to users online. At one point, the number of infected devices was more than 550,000. The creators of the AndroidBauts botnet are able to gather data regarding the compromised devices - both software and hardware.
The tag is: misp-galaxy:botnet="AndroidBauts"
Links |
Andromeda
Andromeda botnet, also known as Gamarue or Wauchos, was first introduced to the public in 2011. During this time it was used to distribute large quantities of malware. According to Microsoft the Andromeda botnet was used to spread more than 80 malware families including ransomware, worms, and more. Andromeda is a modular malware, meaning additional components can be purchased to provide extra functionality.
The tag is: misp-galaxy:botnet="Andromeda"
Andromeda is also known as:
-
Gamarue
-
Wauchos
Links |
https://blogs.blackberry.com/en/2020/05/threat-spotlight-andromeda |
ArrkiiSDK
ArrkiiSDK is potentially unwanted application (PUA) for Android devices. Its functions include unauthorised user tracking, ad fraud and the silent installation of additional applications without the user’s permission. ArrkiiSDK relies on the user actively installing an infected application, which is normally hidden within another software package that appears completely harmless.
The tag is: misp-galaxy:botnet="ArrkiiSDK"
Links |
Avalanche
Avalanche refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits. Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers. In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise. Avalanche used fast-flux DNS, a technique to hide the criminal servers, behind a constantly changing network of compromised systems acting as proxies.
The tag is: misp-galaxy:botnet="Avalanche"
Links |
https://www.cisa.gov/news-events/alerts/2016/12/01/avalanche-crimeware-service-infrastructure |
Bayrob
Bayrob evolved from a backdoor trojan used for fraud into a cryptocurrency miner. Symantec discovered multiple versions of Bayrob malware, and witnessed Bayrob as it morphed from online fraud to a 300,000+ botnet for cryptocurrency mining.
The tag is: misp-galaxy:botnet="Bayrob"
Links |
Bedep
Bedep has been mostly observed in ad-fraud campaigns, although it can also generally load modules for different tasks. It was dropped by the Angler Exploit Kit.
The tag is: misp-galaxy:botnet="Bedep"
Links |
Bolek
Bolek is a malware from the Kbot/Carberp family. It is being subject to frequent updates and has malicious capabilities which include self-spreading through USB and network shares, TOR network access, screen captures and web injects, and uses asymmetric cryptography to secure network communications.
The tag is: misp-galaxy:botnet="Bolek"
Bolek has relationships with:
-
similar: misp-galaxy:botnet="KBOT" with estimative-language:likelihood-probability="likely"
Links |
https://www.bitsight.com/blog/bolek-an-evolving-botnet-targets-poland-and-ukraine |
Carna
The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet. The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.
The tag is: misp-galaxy:botnet="Carna"
Links |
Code Shikara
Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering and capable of spying on users' browsing activities, meanwhile stealing their personal online/offline information and/or credentials.
The tag is: misp-galaxy:botnet="Code Shikara"
Links |
Condi
DDoS-as-a-service botnet calling itself Condi. This malware employs several techniques to keep itself running in an infected system. At the same time, it also prevents infections from other botnets by attempting to terminate their processes. Typical to Mirai-based botnets, this malware cannot survive a system reboot.
The tag is: misp-galaxy:botnet="Condi"
Links |
https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389 |
Cooee
Cooee is a trojan pre-installed on some Phillips smartphones that displays annoying advertisements and downloads and installs different software without user knowledge.
The tag is: misp-galaxy:botnet="Cooee"
Links |
Coreflood
Coreflood is a trojan horse and botnet created by a group of Russian hackers and released in 2010. The FBI included on its list of infected systems approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat.
The tag is: misp-galaxy:botnet="Coreflood"
Links |
Crackonosh
In 2021 Crackonosh has been found in 222,000 compromised computers that were used to download illegal, torrented versions of popular video games. Crackonosh successfully operated for years because it had built-in mechanisms to disable security software and updates, which made it difficult for users to detect and remove the program. The malware is thought to have originated in the Czech Republic, but it had a global reach.
The tag is: misp-galaxy:botnet="Crackonosh"
Links |
https://finance.yahoo.com/news/monero-mining-malware-crackonosh-infected-192448133.html |
FluBot
FluBot is a remote control and info stealer malware. It has abilities to read and send SMS message, delete app, and execute arbitrary commands. It is often distributed through SMS messages. PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.
The tag is: misp-galaxy:botnet="FluBot"
FluBot is also known as:
-
Cabassous
-
FakeChat
Links |
FritzFrog
FritzFrog is a decentralized botnet that uses P2P protocols to distribute control over all of its nodes, thereby avoiding having one controller or single point of failure.
The tag is: misp-galaxy:botnet="FritzFrog"
Links |
Gootkit
Gootkit is a trojan that steals confidential information and allows criminals to take control of infected systems remotely. Gootkit can also be used to install additional malware, such as Emotet. This botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing additional malware, receiving commands from a control server and relaying specific information and telemetry back to the control server, updating or deleting itself, stealing login and password information, logging keystrokes, participating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your computer and demanding payment for its safe return.
The tag is: misp-galaxy:botnet="Gootkit"
Links |
Great Cannon
The Great Cannon of China is an Internet attack tool that is used by the Chinese government to launch distributed denial-of-service attacks on websites by performing a man-in-the-middle attack on large amounts of web traffic and injecting code which causes the end-user’s web browsers to flood traffic to targeted websites.[1] According to the researchers at the Citizen Lab, the International Computer Science Institute, and Princeton University’s Center for Information Technology Policy, who coined the term, the Great Cannon hijacks foreign web traffic intended for Chinese websites and re-purposes them to flood targeted web servers with enormous amounts of traffic in an attempt to disrupt their operations.
The tag is: misp-galaxy:botnet="Great Cannon"
Links |
Hail Mary Cloud
The Hail Mary Cloud was, or is, a password guessing botnet, which used a statistical equivalent to brute force password guessing. The botnet ran from possibly as early as 2005, and certainly from 2007 until 2012 and possibly later. The botnet was named and documented by Peter N. M. Hansteen. The principle is that a botnet can try several thousands of more likely passwords against thousands of hosts, rather than millions of passwords against one host. Since the attacks were widely distributed, the frequency on a given server was low and was unlikely to trigger alarms. Moreover, the attacks come from different members of the botnet, thus decreasing the effectiveness of both IP based detection and blocking.
The tag is: misp-galaxy:botnet="Hail Mary Cloud"
Links |
Joker
Joker is a trojan that is included in several unsuspecting apps that have been offered via the Google Play Store, among others. The malware silently interacts with ad networks to perform clicks on ad banners and subscribe to paid premium services. To do this, Joker is able to read SMS messages, contact lists and device information from the victim system. It collects data from infected systems, intercepts sensitive communications and transmits the information to a remote attacker.
The tag is: misp-galaxy:botnet="Joker"
Links |
KBOT
KBOT penetrates users’ computers via the Internet or a local network, or from infected external media. After the infected file is launched, the malware gains a foothold in the system, writing itself to Startup and the Task Scheduler, and then deploys web injects to try to steal the victim’s bank and personal data. For the same purpose, KBOT can download additional stealer modules that harvest and send to the C&C server almost full information about the user: passwords/logins, cryptowallet data, lists of files and installed applications, and so on.
The tag is: misp-galaxy:botnet="KBOT"
Links |
https://cofense.com/blog/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-campaigns/ |
Linux.Darlloz
Linux.Darlloz is a worm which infects Linux embedded systems. Linux.Darlloz was first discovered by Symantec in 2013.[3] Linux.Darlloz targets the Internet of things and infects routers, security cameras, set-top boxes by exploiting a PHP vulnerability. The worm was based on a Proof of concept code that was released in October 2013. inux.Darlloz utilizes vulnerability (CVE-2012-1823) to exploit systems in order to compromise systems. Linux.Darlloz was later found in March 2014 to have started mining crypto currencies such as Mincoin and Dogecoin. Linux.Aidra, the malware that Linux.Darlloz attempts usurp - like some of the variants of Darlloz, Linux.Aidra targets smaller devices, specifically cable and DSL modems. The worm adds them to a botnet, which can be utilized by the attackers to perform DDoS attacks.
The tag is: misp-galaxy:botnet="Linux.Darlloz"
Links |
https://www.wired.com/2014/01/spime-watch-linux-darlloz-internet-things-worm/ |
Marcher
Marcher is a banking trojan for Android devices. Researchers at Dutch security firm Securify have conducted a detailed analysis of the Android banking Trojan known as Marcher and discovered that a single botnet has managed to steal a significant number of payment cards. Securify has identified nine Marcher botnets over the last 6 months, and each of them has been provided with new modules and targeted web injects by the Trojan’s creators.
The tag is: misp-galaxy:botnet="Marcher"
Links |
https://www.securityweek.com/thousands-android-devices-infected-marcher-trojan/ |
Matsnu
Matsnu is a malware downloader. The malware downloaded may include the banking trojans Citadel and URLZone/Bebloh. Matsnu can also be expanded with additional functions using plug-ins. One of these plug-ins is designed to capture access data for e-mail accounts and FTP programs and pass this information to the operator of the malware.
The tag is: misp-galaxy:botnet="Matsnu"
Links |
https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/ |
Methbot
Methbot was an advertising fraud scheme. Methbot was first tracked in 2015 by cybersecurity firm White Ops, and the botnet saw rapidly increased activity in 2016. The botnet originated in Russia (though it was not state sponsored), and utilized foreign computers and networks in Europe and North America. The infrastructure consisted of 571,904 dedicated IPs, 6,000 domains, and 250,267 distinct URLs, each of which could only house a video ad, and used variants of the names of famous publishers to fool those looking into the domains. This led the operators to game the system, leading ad selection algorithms to select these fake web pages over larger corporate pages from legitimate companies, and charge advertisers at a premium. About 570,000 bots were used to execute clicks on those websites, “watching” up to 300 million video ads a day while the bots mimicked normal computer user behavior. Estimated clicks per day generally reached between 200 and 300 million per day. The botnet relied on data servers instead of more traditional botnets that rely on infected PCs and mobile devices.
The tag is: misp-galaxy:botnet="Methbot"
Links |
Metulji
The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the Butterfly Bot, making it, as of June 2011, the largest known botnet. It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.
The tag is: misp-galaxy:botnet="Metulji"
Links |
Mevade
The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose. In late 2013 the Tor anonymity network saw a very sudden and significant increase in users, from 800,000 daily to more than 5,000,000. A botnet was suspected and fingers pointed at Mevade. Trend Micro reported that its Smart Protection Network saw a tor module being distributed to Mevade Trojans.
The tag is: misp-galaxy:botnet="Mevade"
Mevade is also known as:
-
Sefnit
-
SBC
Links |
MobiDash
MobiDash is a piece of adware for Android devices. The user is shown advertisements without their consent. Mobidash can also make calls in the background.
The tag is: misp-galaxy:botnet="MobiDash"
Links |
Mutabaha
Mutabaha is a Trojan for Windows devices. Outfire, a Chromium-based browser, is downloaded and installed. This pretends to be the version of the Google Chrome browser. Mutabaha is able to drain data and manipulate advertisements. Mutabaha is downloaded and installed by another malware. As a rule, this dropper is removed after the malware has been installed, making it almost impossible to trace the infection.
The tag is: misp-galaxy:botnet="Mutabaha"
Links |
MyDoom
MyDoom is a malicious program that opens a backdoor to the infected device. Through this backdoor the attacker can gain access to the system and carry out further actions. The attack possibilities are diverse and range from information theft to the reloading of additional malware. MyDoom adds infected computers to a botnet and then carries out distributed denial of service (DDoS) attacks. When the worm takes control over the victim’s OS, it then opens various ports and provides a backdoor to invite even more malware in.
The tag is: misp-galaxy:botnet="MyDoom"
Links |
Necurs
The Necurs botnet is a distributor of many pieces of malware, most notably Locky. Around June 1, 2016, the botnet went offline, perhaps due to a glitch in the command and control server running Necurs. However, three weeks later, Jon French from AppRiver discovered a spike in spam emails, signifying either a temporary spike in the botnet’s activity or return to its normal pre-June 1 state. In a 2020 report, it was noted to have particularly targeted India, Southeast Asia, Turkey and Mexico.
The tag is: misp-galaxy:botnet="Necurs"
Links |
Nitol
The Nitol botnet mostly involved in spreading malware and distributed denial-of-service attacks. The Nitol Botnet was first discovered around December 2012, with analysis of the botnet indicating that the botnet is mostly prevalent in China where an estimate 85% of the infections are detected. In China the botnet was found to be present on systems that came brand-new from the factory, indicating the trojan was installed somewhere during the assembly and manufacturing process. According to Microsoft the systems at risk also contained a counterfeit installation of Microsoft Windows. On 10 September 2012 Microsoft took action against the Nitol Botnet by obtaining a court order and subsequently sinkholing the 3322.org domain. The 3322.org domain is a Dynamic DNS which was used by the botnet creators as a command and control infrastructure for controlling their botnet. Microsoft later settled with 3322.org operator Pen Yong, which allowed the latter to continue operating the domain on the condition that any subdomains linked to malware remain sinkholed.
The tag is: misp-galaxy:botnet="Nitol"
Links |
Nymaim
Nymaim was discovered in 2013. At that time it was only a dropper used to distribute TorrentLocker. In February 2016 it became popular again after incorporating leaked ISFB code, dubbed Goznym. When dropper obtains C&C address, it starts real communication. It downloads two important binaries and a lot more: payload – banker module (responsible for web injects – passive member of botnet); optional bot module (it is trying to open ports on a router and become an active part of a botnet. When it fails to do so, it removes itself from a system).
The tag is: misp-galaxy:botnet="Nymaim"
Links |
PBot
PBot is a P2P botnet derived from the Mirai source code. PBot performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.
The tag is: misp-galaxy:botnet="PBot"
PBot is also known as:
-
PythonBot
Links |
https://www.malwarebytes.com/blog/news/2018/04/pbot-python-based-adware |
Pirrit
Pirrit is a potentially unwanted application (PUA) for Windows and MacOS devices. It displays additional pop-ups and advertisements when the device is used. Pirrit downloads other malicious programs from a server and runs these programs; it can also manipulate system files.
The tag is: misp-galaxy:botnet="Pirrit"
Links |
Pitou
Pitou is a trojan for Windows devices. Its functions are to steal passwords and collect various pieces of information about the mobile phone, such as its location and contacts.
The tag is: misp-galaxy:botnet="Pitou"
Links |
Prometei
Prometei is a cryptocurrency-mining botnet. Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary’s part. Prometei is just one of these types of networks that focuses on Monero mining.
The tag is: misp-galaxy:botnet="Prometei"
Links |
https://blog.talosintelligence.com/prometei-botnet-and-its-quest-for-monero/ |
PrizeRAT
PrizeRAT is a trojan for Android devices. Its functions include unauthorised user tracking, stealing passwords and the silent installation of additional applications without the user’s permission. As the malware is part of the firmware of the device, it is not generally recognised by anti-virus solutions for Android. The risk affects a limited group of mobile end devices made by Chinese manufacturers for the low-price segment.
The tag is: misp-galaxy:botnet="PrizeRAT"
Links |
Pushlran
Pushlran is a potentially unwanted application (PUA) for Android devices. It displays additional pop-ups and advertisements when the device is used. The app collects data from infected systems, intercepts sensitive communication and passes this information to a remote attacker.
The tag is: misp-galaxy:botnet="Pushlran"
Links |
Pykspa
Pykspa is a piece of malware that can be used to remotely control infected systems. It also enables attackers to download other malware or extract personal data. There are a number of versions of this malware and it has been developed over a long period of time. Some of the most recent versions of Pykspa are able to deactivate security systems such as anti-virus programs.
The tag is: misp-galaxy:botnet="Pykspa"
Links |
Qsnatch
Qsnatch is a trojan for Linux devices that primarily attacks network drives manufactured by QNAP. Its functions include stealing access data and opening backdoors to infected devices. Through this backdoor, the attacker can gain access to the system and perform other actions. The malware is capable of a wide range of attack types, from information theft to downloading other malware.
The tag is: misp-galaxy:botnet="Qsnatch"
Links |
Remaiten
Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system. Remaiten combines the features of the Tsunami and LizardStresser (aka Torlus) malware families. The command and control for Remaiten are handled by IRC communications. Additionally the command and control is done by an actual IRC channel rather than only the IRC protocol. This is an improvement over bots such as Tsunami and Torlus making Remaiten a greater threat than both combined. To avoid detection, Remaiten tries to determine the platform of a device to download the architecture-appropriate component from the command & control server. Once Remaiten infects a device it is able to perform actions such as launching distributed denial of service attacks or download more malware on a device.[5] Remaiten is able to scan and remove competing bots on a system compromised by it.
The tag is: misp-galaxy:botnet="Remaiten"
Links |