Malware

ARS

References:

RAT Gone Rogue: Meet ARS VBS Loader - 2018-04-16 - Flashpoint - Paul Burbage - Mike Mimoso ARS

ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545) - 2018-10-05 - Blueliv - Blueliv Labs team - Jose Miguel Esparza ARS OnlinerBot

Read More ›

AZORult

References:

New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign - 2018-07-30 - Proofpoint - Proofpoint Staff AZORult

Read More ›

AdvisorsBot

References:

New modular downloaders fingerprint systems - Part 2: AdvisorsBot - 2018-08-23 - Proofpoint - Proofpoint Staff AdvisorsBot PoshAdvisor Marap TA555

Read More ›

TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States - 2019-07-02 - Proofpoint - Matthew Mesa - Dennis Schwarz - Proofpoint Staff AndroMut FlawedAmmyy TA505

Read More ›

BackSwap

References:

BackSwap malware finds innovative ways to empty bank accounts - 2018-05-25 - Eset - Michal Poslušný BackSwap

Backswap malware analysis - 2018-06-19 - CertPL - Hubert Barc BackSwap

The Evolution of BackSwap - 2018-11-30 - Checkpoint - Itay Cohen BackSwap

Read More ›

Bateleur

Read More ›

BitPaymer

- FriedEx

References:

Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware - 2018-11-14 - CrowdStrike - Sergei Frankoff - Bex Hartley INDRIK SPIDER BitPaymer Dridex

Head Fake: Tackling Disruptive Ransomware Attacks - 2019-10-01 - FireEye - Bryce Abdo - Brandan Schondorfer - Kareem Hamdan - Kimberly Goody - Noah Klapprodt - Matt Bromiley BitPaymer SocGholish Dridex Chthonic AZORult

Read More ›

Bolek

- KBOT

References:

Newest addition to a happy family: KBOT - 2016-05-17 - CertPL - Maciej Kotowicz Bolek

Read More ›

BrushaLoader

References:

Combing Through Brushaloader Amid Massive Detection Uptick - 2019-02-20 - Talos - Nick Biasini - Edmund Brumaghin - Edmund Brumaghin - Matthew Molyett BrushaLoader Danabot

BrushaLoader still sweeping up victims one year later - 2019-07-22 - Proofpoint - Kafeine - Proofpoint Staff BrushaLoader Danabot Gootkit TA544

Read More ›

Buer

References:

Buer, a new loader emerges in the underground marketplace - 2019-12-04 - Proofpoint - Kelsey Merriman - Dennis Schwarz - Kafeine - Axel F - Proofpoint Staff Buer Ostap Trickbot Fallout

Read More ›

Buhtrap

- Ratopak

References:

Operation Buhtrap, the trap for Russian accountants - 2015-04-09 - Eset - Jean-Ian Boutin Buhtrap CVE-2012-0158

Read More ›

Buran

- Ghost

Read More ›

Cerber

References:

Cerber ransomware: new, but mature - 2016-03-11 - Malwarebytes - hasherezade Cerber

Read More ›

Chthonic

- Andromedins - AndroKINS

References:

Chthonic: a new modification of ZeuS - 2014-12-18 - Securelist - Yury Namestnikov - Vladimir Kuskov - Oleg Kupreev Chthonic

Read More ›

Clop

References:

Clop Ransomware - 2019-09-01 - McAfee - Alexandre Mundo - Marc Rivero Lopez Clop

PDF: ASEC REPORT vol.96 Q3 2019 - 2019-10-11 - Ahnlab - ASEC Researchers Clop SDBbot FlawedAmmyy TA505

Read More ›

Cobalt Strike

- Beacon

Read More ›

CryptXXX

References:

CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler - 2016-04-18 - Proofpoint - Kafeine CryptXXX Angler Dridex

Read More ›

Danabot

References:

DanaBot - A new banking Trojan surfaces Down Under - 2018-05-31 - Proofpoint - Proofpoint Staff Danabot TA547 CryptXXX

DanaBot control panel revealed - 2019-03-13 - Proofpoint - Dennis Schwarz - Proofpoint Staff Danabot

DanaBot Demands a Ransom Payment - 2019-06-20 - Checkpoint - Yaroslav Harakhavik - Aliaksandr Chailytko Danabot NonRansomware

Read More ›

DoppelPaymer

References:

BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0 - 2019-07-12 - CrowdStrike - Brett Stone-Gross - Sergei Frankoff - Bex Hartley DoppelPaymer BitPaymer Dridex INDRIK SPIDER

Read More ›

Dridex

References:

Talking to Dridex (part 0) – inside the dropper - 2015-11-10 - CertPL - Maciej Kotowicz Dridex

Dridex: A History of Evolution - 2017-05-25 - Securelist - Nikita Slepogin Dridex Shifu

Russian National Charged with Decade-Long Series of Hacking and Bank Fraud Offenses Resulting in Tens of Millions in Losses and Second Russian National Charged with Involvement in Deployment of “Bugat” Malware - 2019-12-05 - Department of Justice - DoJ Dridex

Read More ›

Emotet

- Heodo

References:

Emutet - 2019-10-21 - d00rt - d00rt Emotet Trickbot

Read More ›

FlawedAmmyy

References:

Leaked Ammyy Admin Source Code Turned into Malware - 2018-03-07 - Proofpoint - Proofpoint Staff FlawedAmmyy TA505 Quant

An in-depth malware analysis of QuantLoader - 2018-03-28 - Malwarebytes - Vishal Thakur Quant TA505 FlawedAmmyy

Read More ›

FlawedGrace

References:

ServHelper and FlawedGrace - New malware introduced by TA505 - 2019-01-09 - Proofpoint - Dennis Schwarz - Proofpoint Staff ServHelper FlawedGrace TA505

Read More ›

Fleercivet

References:

EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme - 2017-01-17 - Proofpoint - Kafeine EITest Fleercivet

Read More ›

FrameworkPoS

- Grateful POS

Read More ›

GandCrab

References:

Sodinokibi ransomware exploits WebLogic Server vulnerability - 2019-04-30 - Talos - Pierre Cadieux - Colin Grady - Jaeson Schultz - Matt Valites Sodinokibi GandCrab

Good riddance, GandCrab! We’re still fixing the mess you left behind. - 2019-06-17 - Bitdefender - Bogdan Botezatu GandCrab

Read More ›

Get2

References:

TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - 2019-10-16 - Proofpoint - Dennis Schwarz - Kafeine - Matthew Mesa - Axel F - Proofpoint Staff Get2 TA505 SDBbot FlawedGrace FlawedAmmyy Snatch ServHelper

Read More ›

Gootkit

Read More ›

Gozi ISFB

References:

ISFB - Still live and Kicking - 2016-12-01 - Lokalhost - Maciej Kotowicz Gozi ISFB

Read More ›

Gozi v2

References:

Analyzing ISFB – The Second Loader - 2019-05-25 - 0ffset - 0verfl0w Gozi v2 TA551

Read More ›

Gozi v3

Read More ›

Hancitor

- Chanitor

Read More ›

Hawkeye

References:

Hawkeye Keylogger – Reborn v8: An in-depth campaign analysis - 2018-07-11 - Microsoft - Office 365 Threat Research Hawkeye

Read More ›

Hermes

References:

Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - 2019-01-10 - CrowdStrike - Alexander Hanel Ryuk Hermes GRIM SPIDER Trickbot WIZARD SPIDER

Read More ›

Hidden Mellifera

- 隱蜂 - Hidden Bee

References:

New Underminer Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware with Encrypted TCP Tunnel - 2018-07-26 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Underminer Hidden Mellifera

The Hidden Bee infection chain, part 1: the stegano pack - 2019-08-15 - Malwarebytes - hasherezade Hidden Mellifera Underminer

Read More ›

IcedID

- BokBot

References:

Bokbot: The (re)birth of a banker - 2018-09-09 - Fox-IT - Alfred Klason IcedID Vawtrak TinyLoader Hancitor

Read More ›

KPOT

References:

New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials - 2019-05-09 - Proofpoint - Dennis Schwarz - Proofpoint Staff KPOT Fallout RIG

Read More ›

Kelihos

References:

Inside the Takedown of ZOMBIE SPIDER and the Kelihos Botnet - 2017-04-13 - CrowdStrike - Falcon Intelligence Team Kelihos Severa

Farewell to Kelihos and ZOMBIE SPIDER - 2018-12-05 - CrowdStrike - Brett Stone-Gross - Tillman Werner - Bex Hartley Severa Kelihos

Read More ›

Koler

Read More ›

Kovter

References:

Ransomware - Kovter : looking at your browsing history for more credibility - 2013-03-29 - MDNC - Kafeine Kovter

Kovter 2016 – Anti Analysis tricks - 2017-05-11 - Riscy Business - RISCyBusiness Kovter

Threat Actor Profile: KovCoreG, The Kovter Saga - 2017-11-01 - Proofpoint - Kafeine Kovter KovCoreG Angler Sweet Orange Nuclear Sakura BlackHole Neutrino Fiesta Styx EITest

Kovter Uncovered - 2018-08-03 - Github - eWhite Hats Kovter

Read More ›

LockerGoga

Read More ›

Locky

References:

Dridex Actors Get In the Ransomware Game With "Locky" - 2016-02-16 - Proofpoint - Proofpoint Staff Locky Neutrino TA505

Read More ›

Lurk

References:

Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Alexey Shulmin - Mikhail Prokhorenko Lurk Angler

Read More ›

Madness

References:

Meet Madness Pro or Few days rise of a Ddos Botnet - 2013-10-14 - MDNC - Kafeine Madness Cool

Read More ›

Marap

References:

New modular downloaders fingerprint systems, prepare for more - Part 1: Marap - 2018-08-16 - Proofpoint - Proofpoint Staff Marap TA555

Read More ›

Maze

Read More ›

Mole

Read More ›

More_Eggs

- Terra Loader

Read More ›

Necurs

- Crap2p

References:

Necurs – hybrid spam botnet - 2016-09-02 - CertPL - Adam Krasuski Necurs

Read More ›

Netwire

References:

New Release: Decrypting NetWire C2 Traffic - 2014-08-04 - PaloAlto - Phil Da Silva - Rob Downs - Ryan Olson Netwire

Read More ›

Ngioweb

- grobios

References:

Ramnit’s Network of Proxy Servers - 2018-08-05 - Checkpoint Ramnit Ngioweb

An Analysis of Linux.Ngioweb Botnet - 2019-06-21 - Netlab - Alex Turing - Yegenshen Ngioweb

Read More ›

Nodster

References:

New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign - 2019-10-01 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Novter Nodster KovCoreG Kovter

Read More ›

NonRansomware

- Blitzkrieg

Read More ›

Novter

- Divergent - Nodersok

References:

Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - 2019-09-26 - Microsoft - Microsoft Defender ATP Research Team Novter KovCoreG

Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host - 2019-09-26 - Talos - Edmund Brumaghin - Edmund Brumaghin Novter KovCoreG

New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign - 2019-10-01 - Trend Micro - Jaromir Horejsi - Joseph C. Chen Novter Nodster KovCoreG Kovter

Read More ›

Nymaim

References:

Nymaim – obfuscation chronicles - 2013-08-26 - Eset - Jean-Ian Boutin Nymaim

Meet GozNym: The Banking Malware Offspring of Gozi ISFB and Nymaim - 2016-04-14 - IBM Security - Limor Kessem - Lior Keshet Nymaim Gozi ISFB

Nymaim - The untold story - 2016-10-06 - Lokalhost - Jarosław Jedynak - Maciej Kotowicz Nymaim

Nymaim config decoded - 2019-03-12 - Proofpoint - Georgi Mladenov Nymaim

GozNym Cyber-Criminal Network Operating out of Europe Targeting American Entities Dismantled in International Operation - 2019-05-16 - Department of Justice - DoJ Nymaim

Read More ›

OnlinerBot

- OnlinerSpambot

References:

A journey inside Gozi campaign - 2017-01-20 - BenkowLab - benkow_ OnlinerBot Gozi ISFB

ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545) - 2018-10-05 - Blueliv - Blueliv Labs team - Jose Miguel Esparza ARS OnlinerBot

Read More ›

Osiris

References:

Kronos Reborn - 2018-07-24 - Proofpoint - Proofpoint Staff Osiris RIG

Osiris: An Enhanced Banking Trojan - 2018-07-31 - Checkoint - Yaroslav Harakhavik - Nikita Fokin Osiris

Read More ›

Ostap

References:

Ostap Bender: 400 Ways to Make the Population Part With Their Money - 2016-12-08 - Proofpoint - Proofpoint Staff Ostap Dridex Gozi ISFB TinyLoader

Ostap malware analysis (Backswap dropper) - 2018-06-01 - CertPL - Paweł Srokosz Ostap Nymaim

Read More ›

Otlard

- Jahoo

References:

Inside Jahoo (Otlard.A ?) - A spam Botnet - 2015-11-28 - MDNC - Kafeine Otlard VirtualDonna Angler Nuclear ProxyBack Ramnit

Read More ›

Parasite HTTP

References:

Parasite HTTP RAT cooks up a stew of stealthy tricks - - Proofpoint - Proofpoint Staff Parasite HTTP

Read More ›

Pitou

References:

The DGA of Pitou - Analyzing a Virtualized Algorithm - 2019-07-08 - Johannesbader - Johannes Bader Pitou

Read More ›

PoshAdvisor

References:

New modular downloaders fingerprint systems - Part 2: AdvisorsBot - 2018-08-23 - Proofpoint - Proofpoint Staff AdvisorsBot PoshAdvisor Marap TA555

Read More ›

PowerBrace

Read More ›

PowerEnum

Read More ›

Predator The Thief

References:

A predatory tale: Who’s afraid of the thief? - 201-03-11 - SecureList - GReAT Predator The Thief

Predator The Thief: In-depth analysis (v2.3.5) - 2018-10-15 - Fumik0 - Fumik0_ Predator The Thief

Read More ›

Princess

Read More ›

Princess Evolution

References:

Ransomware as a Service Princess Evolution Looking for Affiliates - 2018-09-09 - Trend Micro - Joseph C. Chen Princess Evolution RIG

Read More ›

ProxyBack

- Hbot

References:

ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - PaloAlto - Jeff White ProxyBack

Read More ›

PsiXBot

References:

It's called PsiX. It's a modular bot. - 2018-08-30 - Twitter - Matthew Mesa PsiXBot

PsiXBot: The Evolution Of A Modular .NET Bot - 2019-03-27 - Fox-IT - Stefano Antenucci - Antonio Parata PsiXBot Spelevo

Read More ›

Quant

- QuantLoader

References:

Locky distributor uses newly released quant loader sold on Russian underground - 2016-09-14 - Forcepoint - Nicholas Griffin Quant Locky TA505

An in-depth malware analysis of QuantLoader - 2018-03-28 - Malwarebytes - Vishal Thakur Quant TA505 FlawedAmmyy

Read More ›

Quasar

Read More ›

Raccoon

References:

Raccoon Stealer In development? - 2019-02-21 - Twitter - 0xffff0800 Raccoon

Read More ›

Ramnit

References:

Ramnit’s Network of Proxy Servers - 2018-08-05 - Checkpoint Ramnit Ngioweb

Read More ›

RecoLoad

- PUNCHBUGGY

References:

A fileless Ursnif doing some POS focused reco - 2015-07-05 - MDNC - Kafeine RecoLoad Angler

Angler Exploit Kit Used to Find and Infect PoS Systems - 2015-07-27 - Trendmicro - Anthony Joe Melgarejo RecoLoad Angler

Read More ›

Ryuk

References:

Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware - 2019-01-10 - CrowdStrike - Alexander Hanel Ryuk Hermes GRIM SPIDER Trickbot WIZARD SPIDER

A Nasty Trick: From Credential Theft Malware to Business Disruption - 2019-01-10 - FireEye - Kimberly Goody - Jeremy Kennelly - Jaideep Natu - Christopher Glyer Ryuk GRIM SPIDER Trickbot

Read More ›

SDBbot

References:

PDF: ASEC REPORT vol.96 Q3 2019 - 2019-10-11 - Ahnlab - ASEC Researchers Clop SDBbot FlawedAmmyy TA505

Read More ›

Sednit

Read More ›

Seon

Read More ›

ServHelper

References:

ServHelper and FlawedGrace - New malware introduced by TA505 - 2019-01-09 - Proofpoint - Dennis Schwarz - Proofpoint Staff ServHelper FlawedGrace TA505

Read More ›

Shifu

References:

Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - IBM Security - Limor Kessem - Ilya Kolmanovich - Denis Laskov Shifu

Shifu <3 Great Britain - 2015-09-24 - MDNC - Kafeine Shifu VirtualDonna Angler

Shifu Malware Analyzed: Behavior, Capabilities and Communications - 2015-10-29 - FireEye - Richard Hummel Shifu

2016 Updates to Shifu Banking Trojan - 2017-01-06 - PaloAlto - Dominik Reichel Shifu CVE-2016-0167

Read More ›

Silence

- TrueBot

References:

(PDF) Silence: Moving into the darkside - 2018-09 - Group-IB Silence

(PDF) Silence 2.0: Going Global - 2019-07-04 - Group-IB Silence FlawedAmmyy

Read More ›

Smokebot

- Dofoil - Smoke Loader

References:

Dissecting Smoke Loader - 2018-07-18 - CertPL - Michał Praszmo Smokebot

SmokeLoader ups its game in 2019 and emerges with a fresh new version. A blog post with all the recent updates is coming up shortly. Meanwhile, here are some IOCs - 2019-06-18 - Twitter - Check Point Research Smokebot bbsindex

The 2019 Resurgence of Smokeloader - 2019-07-09 - Checkpoint - Israel Gubi Smokebot bbsindex

Read More ›

Snatch

References:

SnatchLoader Reloaded - 2017-10-27 - Arbor - Dennis Schwarz Snatch Ramnit TA554

Read More ›

Sodinokibi

- REvil - Sodin

References:

Sodinokibi ransomware exploits WebLogic Server vulnerability - 2019-04-30 - Talos - Pierre Cadieux - Colin Grady - Jaeson Schultz - Matt Valites Sodinokibi GandCrab

Malware Tales: Sodinokibi - 2019-06-14 - Certego - Matteo Lodi Sodinokibi GandCrab

Sodin ransomware exploits Windows vulnerability and processor architecture - 2019-07-03 - Securelist - Orkhan Mamedov - Artur Pakulov - Fedor Sinitsyn Sodinokibi

Read More ›

Spora

References:

Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet - 2017-01-10 - BleepingComputer - Catalin Cimpanu Spora

Read More ›

StillerX

References:

CryptXXX Ransomware Learns the Samba, Other New Tricks With Version 3.100 - 2016-06-01 - Proofpoint - Proofpoint Staff StillerX CryptXXX

Read More ›

SystemBC

References:

SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits - 2019-08-01 - Proofpoint - Kade Karmon - Kafeine - Dennis Schwarz - Proofpoint Staff SystemBC Fallout RIG Danabot PowerEnum

Read More ›

TinyLoader

Read More ›

TinyNuke

- NuclearBot - NukeBot - Xbot

References:

Dismantling a Nuclear Bot - 2016-12-19 - Arbor - Dennis Schwarz TinyNuke

Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer - 2017-04-06 - Krebs On Security - Brian Krebs TinyNuke

Quick look at another Alina fork: XBOT-POS - 2017-08-16 - BenkowLab - benkow_ TinyNuke Alina

Read More ›

Tofsee

References:

A deeper look at Tofsee modules - 2017-10-19 - CertPL - Jarosław Jedynak Tofsee

Read More ›

Trickbot

Read More ›

URLZone

- Bebloh - Shiotob

References:

URLZone reloaded: new evolution - 2012-09-01 - VirusBulletin - Neo Tan URLZone

The DGA of Shiotob - 2015-01-12 - Johannesbader - Johannes Bader URLZone

Read More ›

Varenyky

References:

Loader / Spammer spread in France for a few weeks now ! Domains related (recommended to block) are here https://pastebin.com/fuAK9BHC - 2019-06-04 - Twitter - Hash Miser Varenyky TinyNuke

Varenyky: Spambot à la Française - 2019-08-08 - Eset - ESET Research Varenyky

Read More ›

Vawtrak

- Neverquest

Read More ›

Xagent

References:

A Look Into Fysbis: Sofacy' s Linux Backdoor - 2016-02-12 - PaloAlto - Bryan Lee - Rob Downs Xagent APT28

XAgentOSX: Sofacy's XAgent macOS Tool - 2017-02-14 - PaloAlto - Robert Falcone Xagent APT28

Read More ›

js-GhoLoader

References:

Fake Software Update Abuses NetSupport Remote Access Too - 2018-04-05 - FireEye - Sudhanshu Dubey js-GhoLoader SocGholish

Deep Analysis of Queryn Campaign - 2018-07-10 - Github - Koike js-GhoLoader SocGholish

Read More ›

sLoad

References:

Hello, internal name of this loader is sLoad. Appeared May 1st. Payload is the UK focused Ramnit ( fB1oN5frGqf ) - 2018-05-19 - Twitter - Kafeine sLoad Ramnit TA554

sLoad and Ramnit pairing in sustained campaigns against UK and Italy - 2018-10-23 - Proofpoint - Proofpoint Staff TA554 sLoad Ramnit PsiXBot Gootkit Snatch

Read More ›

