Introduction

MISP logo

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.

Funding and Support

The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .

CIRCL logo

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

CEF funding

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

MISP galaxy

Android

Android malware galaxy based on multiple open sources..

Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

CopyCat

CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.

The tag is: misp-galaxy:android="CopyCat"

Table 1. Table References

Links

https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/

Andr/Dropr-FH

Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.

The tag is: misp-galaxy:android="Andr/Dropr-FH"

Andr/Dropr-FH is also known as:

  • GhostCtrl

Andr/Dropr-FH has relationships with:

  • similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"

Table 2. Table References

Links

https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/

https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data

Judy

The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

The tag is: misp-galaxy:android="Judy"

Table 3. Table References

Links

http://fortune.com/2017/05/28/android-malware-judy/

https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

RedAlert2

The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.

The tag is: misp-galaxy:android="RedAlert2"

RedAlert2 has relationships with:

  • similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"

Table 4. Table References

Links

https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/

https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Tizi

Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.

The tag is: misp-galaxy:android="Tizi"

Table 5. Table References

Links

https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html

DoubleLocker

DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.

The tag is: misp-galaxy:android="DoubleLocker"

DoubleLocker has relationships with:

  • similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"

Table 6. Table References

Links

https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Svpeng

Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.

The tag is: misp-galaxy:android="Svpeng"

Svpeng is also known as:

  • Invisble Man

Svpeng has relationships with:

  • similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"

Table 7. Table References

Links

https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/

https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/

LokiBot

LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.

The tag is: misp-galaxy:android="LokiBot"

LokiBot has relationships with:

  • similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"

Table 8. Table References

Links

https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html[https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html]

BankBot

The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.

The tag is: misp-galaxy:android="BankBot"

BankBot has relationships with:

  • similar: misp-galaxy:malpedia="BankBot" with estimative-language:likelihood-probability="likely"

Table 9. Table References

Links

https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot

https://forensics.spreitzenbarth.de/android-malware/

https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers

Viking Horde

In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.

The tag is: misp-galaxy:android="Viking Horde"

Table 10. Table References

Links

http://www.alwayson-network.com/worst-types-android-malware-2016/

HummingBad

A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.

The tag is: misp-galaxy:android="HummingBad"

HummingBad has relationships with:

  • similar: misp-galaxy:mitre-mobile-attack-malware="HummingBad - MOB-S0038" with estimative-language:likelihood-probability="likely"

Table 11. Table References

Links

http://www.alwayson-network.com/worst-types-android-malware-2016/

http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Ackposts

Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.

The tag is: misp-galaxy:android="Ackposts"

Table 12. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99

Wirex

Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.

The tag is: misp-galaxy:android="Wirex"

Table 13. Table References

Links

https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/

http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/

WannaLocker

WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.

The tag is: misp-galaxy:android="WannaLocker"

Table 14. Table References

Links

https://fossbytes.com/wannalocker-ransomware-wannacry-android/

Switcher

Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.

The tag is: misp-galaxy:android="Switcher"

Switcher has relationships with:

  • similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"

Table 15. Table References

Links

http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/

https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/

https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99

Vibleaker

Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.

The tag is: misp-galaxy:android="Vibleaker"

Table 16. Table References

Links

http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml

ExpensiveWall

ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge

The tag is: misp-galaxy:android="ExpensiveWall"

Table 17. Table References

Links

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

http://fortune.com/2017/09/14/google-play-android-malware/

Cepsohord

Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.

The tag is: misp-galaxy:android="Cepsohord"

Table 18. Table References

Links

https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord

Fakem Rat

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

The tag is: misp-galaxy:android="Fakem Rat"

Table 19. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

GM Bot

GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.

The tag is: misp-galaxy:android="GM Bot"

GM Bot is also known as:

  • Acecard

  • SlemBunk

  • Bankosy

GM Bot has relationships with:

  • similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 20. Table References

Links

https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide

Moplus

The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.

The tag is: misp-galaxy:android="Moplus"

Table 21. Table References

Links

http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

The tag is: misp-galaxy:android="Adwind"

Adwind is also known as:

  • AlienSpy

  • Frutas

  • Unrecom

  • Sockrat

  • Jsocket

  • jRat

  • Backdoor:Java/Adwind

Adwind has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 22. Table References

Links

https://securelist.com/adwind-faq/73660/

AdSms

Adsms is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="AdSms"

Table 23. Table References

Links

https://www.fortiguard.com/encyclopedia/virus/7389670

https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99

Airpush

Airpush is a very aggresive Ad - Network

The tag is: misp-galaxy:android="Airpush"

Airpush is also known as:

  • StopSMS

Table 24. Table References

Links

https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf

BeanBot

BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.

The tag is: misp-galaxy:android="BeanBot"

Table 25. Table References

Links

https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml

Kemoge

Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.

The tag is: misp-galaxy:android="Kemoge"

Kemoge has relationships with:

  • similar: misp-galaxy:mitre-mobile-attack-malware="Shedun - MOB-S0010" with estimative-language:likelihood-probability="likely"

Table 26. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html

https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99

Ghost Push

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.

The tag is: misp-galaxy:android="Ghost Push"

Table 27. Table References

Links

https://en.wikipedia.org/wiki/Ghost_Push

https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push

BeNews

The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.

The tag is: misp-galaxy:android="BeNews"

Table 28. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/

Accstealer

Accstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Accstealer"

Table 29. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99

Acnetdoor

Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.

The tag is: misp-galaxy:android="Acnetdoor"

Table 30. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99

Acnetsteal

Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.

The tag is: misp-galaxy:android="Acnetsteal"

Table 31. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99

Actech

Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Actech"

Table 32. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99

AdChina

AdChina is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdChina"

Table 33. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99

Adfonic

Adfonic is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adfonic"

Table 34. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99

AdInfo

AdInfo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdInfo"

Table 35. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99

Adknowledge

Adknowledge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adknowledge"

Table 36. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99

AdMarvel

AdMarvel is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMarvel"

Table 37. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99

AdMob

AdMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMob"

Table 38. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99

Adrd

Adrd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Adrd"

Table 39. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99

Aduru

Aduru is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Aduru"

Table 40. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99

Adwhirl

Adwhirl is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwhirl"

Table 41. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99

Adwlauncher

Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Adwlauncher"

Table 42. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99

Adwo

Adwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwo"

Table 43. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99

Airad

Airad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Airad"

Table 44. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99

Alienspy

Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.

The tag is: misp-galaxy:android="Alienspy"

Table 45. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99

AmazonAds

AmazonAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AmazonAds"

Table 46. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99

Answerbot

Answerbot is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Answerbot"

Table 47. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99

Antammi

Antammi is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Antammi"

Table 48. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99

Apkmore

Apkmore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apkmore"

Table 49. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99

Aplog

Aplog is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Aplog"

Table 50. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99

Appenda

Appenda is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Appenda"

Table 51. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99

Apperhand

Apperhand is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apperhand"

Table 52. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99

Appleservice

Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Appleservice"

Table 53. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99

AppLovin

AppLovin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AppLovin"

Table 54. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99

Arspam

Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.

The tag is: misp-galaxy:android="Arspam"

Table 55. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99

Aurecord

Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Aurecord"

Table 56. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99

Backapp

Backapp is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Backapp"

Table 57. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99

Backdexer

Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.

The tag is: misp-galaxy:android="Backdexer"

Table 58. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99

Backflash

Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Backflash"

Table 59. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99

Backscript

Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.

The tag is: misp-galaxy:android="Backscript"

Table 60. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99

Badaccents

Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.

The tag is: misp-galaxy:android="Badaccents"

Table 61. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99

Badpush

Badpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Badpush"

Table 62. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99

Ballonpop

Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Ballonpop"

Table 63. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99

Bankosy

Bankosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Bankosy"

Bankosy has relationships with:

  • similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 64. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99

Bankun

Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.

The tag is: misp-galaxy:android="Bankun"

Table 65. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99

Basebridge

Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Basebridge"

Table 66. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99

Basedao

Basedao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Basedao"

Table 67. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99

Batterydoctor

Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.

The tag is: misp-galaxy:android="Batterydoctor"

Table 68. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99

Beaglespy

Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Beaglespy"

Table 69. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99

Becuro

Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Becuro"

Table 70. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99

Beita

Beita is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Beita"

Table 71. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99

Bgserv

Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Bgserv"

Table 72. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99

Biigespy

Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Biigespy"

Table 73. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99

Bmaster

Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Bmaster"

Table 74. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

Bossefiv

Bossefiv is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Bossefiv"

Table 75. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99

Boxpush

Boxpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Boxpush"

Table 76. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99

Burstly

Burstly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Burstly"

Table 77. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99

Buzzcity

Buzzcity is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Buzzcity"

Table 78. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99

ByPush

ByPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ByPush"

Table 79. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99

Cajino

Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Cajino"

Table 80. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99

Casee

Casee is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Casee"

Table 81. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99

Catchtoken

Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Catchtoken"

Table 82. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99

Cauly

Cauly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cauly"

Table 83. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99

Cellshark

Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Cellshark"

Table 84. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99

Centero

Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Centero"

Table 85. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99

Chuli

Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.

The tag is: misp-galaxy:android="Chuli"

Table 86. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99

Citmo

Citmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Citmo"

Table 87. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99

Claco

Claco is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Claco"

Table 88. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99

Clevernet

Clevernet is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Clevernet"

Table 89. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99

Cnappbox

Cnappbox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cnappbox"

Table 90. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99

Cobblerone

Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.

The tag is: misp-galaxy:android="Cobblerone"

Table 91. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99

Coolpaperleak

Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Coolpaperleak"

Table 92. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99

Coolreaper

Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.

The tag is: misp-galaxy:android="Coolreaper"

Table 93. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99

Cosha

Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Cosha"

Table 94. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99

Counterclank

Counterclank is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Counterclank"

Table 95. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99

Crazymedia

Crazymedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Crazymedia"

Table 96. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99

Crisis

Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Crisis"

Crisis has relationships with:

  • similar: misp-galaxy:malpedia="Crisis (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"

Table 97. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99

Crusewind

Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Crusewind"

Table 98. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99

Dandro

Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.

The tag is: misp-galaxy:android="Dandro"

Table 99. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99

Daoyoudao

Daoyoudao is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Daoyoudao"

Table 100. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99

Deathring

Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Deathring"

Table 101. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99

Deeveemap

Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Deeveemap"

Table 102. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99

Dendoroid

Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.

The tag is: misp-galaxy:android="Dendoroid"

Table 103. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99

Dengaru

Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.

The tag is: misp-galaxy:android="Dengaru"

Table 104. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99

Diandong

Diandong is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Diandong"

Table 105. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99

Dianjin

Dianjin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dianjin"

Table 106. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99

Dogowar

Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.

The tag is: misp-galaxy:android="Dogowar"

Table 107. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99

Domob

Domob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Domob"

Table 108. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99

Dougalek

Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.

The tag is: misp-galaxy:android="Dougalek"

Table 109. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99

Dowgin

Dowgin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dowgin"

Table 110. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99

Droidsheep

Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.

The tag is: misp-galaxy:android="Droidsheep"

Table 111. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99

Dropdialer

Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Dropdialer"

Table 112. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99

Dupvert

Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.

The tag is: misp-galaxy:android="Dupvert"

Table 113. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99

Dynamicit

Dynamicit is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dynamicit"

Table 114. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99

Ecardgrabber

Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.

The tag is: misp-galaxy:android="Ecardgrabber"

Table 115. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99

Ecobatry

Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Ecobatry"

Table 116. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99

Enesoluty

Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Enesoluty"

Table 117. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99

Everbadge

Everbadge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Everbadge"

Table 118. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99

Ewalls

Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.

The tag is: misp-galaxy:android="Ewalls"

Table 119. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99

Exprespam

Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.

The tag is: misp-galaxy:android="Exprespam"

Table 120. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99

Fakealbums

Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.

The tag is: misp-galaxy:android="Fakealbums"

Table 121. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99

Fakeangry

Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Fakeangry"

Table 122. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99

Fakeapp

Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.

The tag is: misp-galaxy:android="Fakeapp"

Table 123. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99

Fakebanco

Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.

The tag is: misp-galaxy:android="Fakebanco"

Table 124. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99

Fakebank

Fakebank is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank"

Table 125. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99

Fakebank.B

Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank.B"

Table 126. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99

Fakebok

Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.

The tag is: misp-galaxy:android="Fakebok"

Table 127. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99

Fakedaum

Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakedaum"

Table 128. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99

Fakedefender

Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender"

Table 129. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99

Fakedefender.B

Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender.B"

Table 130. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99

Fakedown

Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.

The tag is: misp-galaxy:android="Fakedown"

Table 131. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99

Fakeflash

Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.

The tag is: misp-galaxy:android="Fakeflash"

Table 132. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99

Fakegame

Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakegame"

Table 133. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99

Fakeguard

Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakeguard"

Table 134. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99

Fakejob

Fakejob is a Trojan horse for Android devices that redirects users to scam websites.

The tag is: misp-galaxy:android="Fakejob"

Table 135. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99

Fakekakao

Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.

The tag is: misp-galaxy:android="Fakekakao"

Table 136. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99

Fakelemon

Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.

The tag is: misp-galaxy:android="Fakelemon"

Table 137. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99

Fakelicense

Fakelicense is a Trojan horse that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Fakelicense"

Table 138. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99

Fakelogin

Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakelogin"

Table 139. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99

FakeLookout

FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="FakeLookout"

Table 140. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99

FakeMart

FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.

The tag is: misp-galaxy:android="FakeMart"

Table 141. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99

Fakemini

Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.

The tag is: misp-galaxy:android="Fakemini"

Table 142. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99

Fakemrat

Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakemrat"

Table 143. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

Fakeneflic

Fakeneflic is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fakeneflic"

Table 144. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99

Fakenotify

Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.

The tag is: misp-galaxy:android="Fakenotify"

Table 145. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99

Fakepatch

Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.

The tag is: misp-galaxy:android="Fakepatch"

Table 146. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99

Fakeplay

Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Fakeplay"

Table 147. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99

Fakescarav

Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakescarav"

Table 148. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99

Fakesecsuit

Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakesecsuit"

Table 149. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99

Fakesucon

Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Fakesucon"

Table 150. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99

Faketaobao

Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Faketaobao"

Table 151. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

Faketaobao.B

Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.

The tag is: misp-galaxy:android="Faketaobao.B"

Table 152. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99

Faketoken

Faketoken is a Trojan horse that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Faketoken"

Table 153. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99

http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/

Fakeupdate

Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.

The tag is: misp-galaxy:android="Fakeupdate"

Table 154. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99

Fakevoice

Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.

The tag is: misp-galaxy:android="Fakevoice"

Table 155. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99

Farmbaby

Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Farmbaby"

Table 156. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99

Fauxtocopy

Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.

The tag is: misp-galaxy:android="Fauxtocopy"

Table 157. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99

Feiwo

Feiwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Feiwo"

Table 158. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99

FindAndCall

FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.

The tag is: misp-galaxy:android="FindAndCall"

Table 159. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99

Finfish

Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Finfish"

Table 160. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99

Fireleaker

Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fireleaker"

Table 161. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99

Fitikser

Fitikser is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fitikser"

Table 162. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99

Flexispy

Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Flexispy"

Table 163. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99

Fokonge

Fokonge is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fokonge"

Table 164. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99

FoncySMS

FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.

The tag is: misp-galaxy:android="FoncySMS"

Table 165. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99

Frogonal

Frogonal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Frogonal"

Table 166. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99

Ftad

Ftad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ftad"

Table 167. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99

Funtasy

Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.

The tag is: misp-galaxy:android="Funtasy"

Table 168. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99

GallMe

GallMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="GallMe"

Table 169. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99

Gamex

Gamex is a Trojan horse for Android devices that downloads further threats.

The tag is: misp-galaxy:android="Gamex"

Table 170. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99

Gappusin

Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.

The tag is: misp-galaxy:android="Gappusin"

Table 171. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99

Gazon

Gazon is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Gazon"

Table 172. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99

Geinimi

Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Geinimi"

Table 173. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99

Generisk

Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.

The tag is: misp-galaxy:android="Generisk"

Table 174. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99

Genheur

Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

The tag is: misp-galaxy:android="Genheur"

Table 175. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99

Genpush

Genpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Genpush"

Table 176. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99

GeoFake

GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.

The tag is: misp-galaxy:android="GeoFake"

Table 177. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99

Geplook

Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.

The tag is: misp-galaxy:android="Geplook"

Table 178. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99

Getadpush

Getadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Getadpush"

Table 179. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99

Ggtracker

Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.

The tag is: misp-galaxy:android="Ggtracker"

Table 180. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99

Ghostpush

Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Ghostpush"

Table 181. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99

Gmaster

Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Gmaster"

Table 182. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99

Godwon

Godwon is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Godwon"

Table 183. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99

Golddream

Golddream is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Golddream"

Table 184. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99

Goldeneagle

Goldeneagle is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Goldeneagle"

Table 185. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99

Golocker

Golocker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Golocker"

Table 186. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99

Gomal

Gomal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Gomal"

Table 187. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99

Gonesixty

Gonesixty is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonesixty"

Table 188. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99

Gonfu

Gonfu is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu"

Table 189. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99

Gonfu.B

Gonfu.B is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu.B"

Table 190. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99

Gonfu.C

Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.

The tag is: misp-galaxy:android="Gonfu.C"

Table 191. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99

Gonfu.D

Gonfu.D is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Gonfu.D"

Table 192. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99

Gooboot

Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.

The tag is: misp-galaxy:android="Gooboot"

Table 193. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99

Goodadpush

Goodadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Goodadpush"

Table 194. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99

Greystripe

Greystripe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Greystripe"

Table 195. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99

Gugespy

Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Gugespy"

Table 196. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99

Gugespy.B

Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Gugespy.B"

Table 197. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99

Gupno

Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.

The tag is: misp-galaxy:android="Gupno"

Table 198. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99

Habey

Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Habey"

Table 199. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99

Handyclient

Handyclient is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Handyclient"

Table 200. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99

Hehe

Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.

The tag is: misp-galaxy:android="Hehe"

Table 201. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99

Hesperbot

Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="Hesperbot"

Table 202. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99

Hippo

Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo"

Table 203. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99

Hippo.B

Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo.B"

Table 204. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99

IadPush

IadPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="IadPush"

Table 205. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99

iBanking

iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="iBanking"

Table 206. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99

Iconosis

Iconosis is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosis"

Table 207. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99

Iconosys

Iconosys is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosys"

Table 208. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99

Igexin

Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,

The tag is: misp-galaxy:android="Igexin"

Igexin is also known as:

  • IcicleGum

Igexin has relationships with:

  • similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"

Table 209. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://blog.lookout.com/igexin-malicious-sdk

ImAdPush

ImAdPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ImAdPush"

Table 210. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99

InMobi

InMobi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="InMobi"

Table 211. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99

Jifake

Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Jifake"

Table 212. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99

Jollyserv

Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Jollyserv"

Table 213. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99

Jsmshider

Jsmshider is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Jsmshider"

Table 214. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99

Ju6

Ju6 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ju6"

Table 215. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99

Jumptap

Jumptap is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jumptap"

Table 216. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99

Jzmob

Jzmob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jzmob"

Table 217. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99

Kabstamper

Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.

The tag is: misp-galaxy:android="Kabstamper"

Table 218. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99

Kidlogger

Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Kidlogger"

Table 219. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99

Kielog

Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.

The tag is: misp-galaxy:android="Kielog"

Table 220. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99

Kituri

Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Kituri"

Table 221. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99

Kranxpay

Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.

The tag is: misp-galaxy:android="Kranxpay"

Table 222. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99

Krysanec

Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Krysanec"

Table 223. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99

Kuaidian360

Kuaidian360 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuaidian360"

Table 224. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99

Kuguo

Kuguo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuguo"

Table 225. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99

Lastacloud

Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Lastacloud"

Table 226. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99

Laucassspy

Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Laucassspy"

Table 227. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99

Lifemonspy

Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.

The tag is: misp-galaxy:android="Lifemonspy"

Table 228. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99

Lightdd

Lightdd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Lightdd"

Table 229. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99

Loaderpush

Loaderpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Loaderpush"

Table 230. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99

Locaspy

Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.

The tag is: misp-galaxy:android="Locaspy"

Table 231. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99

Lockdroid.E

Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.E"

Table 232. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99

Lockdroid.F

Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.F"

Table 233. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99

Lockdroid.G

Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.G"

Table 234. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99

Lockdroid.H

Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.H"

Table 235. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99

Lockscreen

Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.

The tag is: misp-galaxy:android="Lockscreen"

Table 236. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99

LogiaAd

LogiaAd is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="LogiaAd"

Table 237. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99

Loicdos

Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.

The tag is: misp-galaxy:android="Loicdos"

Table 238. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99

Loozfon

Loozfon is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Loozfon"

Table 239. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99

Lotoor

Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.

The tag is: misp-galaxy:android="Lotoor"

Table 240. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99

Lovespy

Lovespy is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Lovespy"

Table 241. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99

Lovetrap

Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Lovetrap"

Table 242. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99

Luckycat

Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="Luckycat"

Table 243. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99

Machinleak

Machinleak is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Machinleak"

Table 244. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99

Maistealer

Maistealer is a Trojan that steals information from Android devices.

The tag is: misp-galaxy:android="Maistealer"

Table 245. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99

Malapp

Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.

The tag is: misp-galaxy:android="Malapp"

Table 246. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99

Malebook

Malebook is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malebook"

Table 247. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99

Malhome

Malhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malhome"

Table 248. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99

Malminer

Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.

The tag is: misp-galaxy:android="Malminer"

Table 249. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99

Mania

Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Mania"

Table 250. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99

Maxit

Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.

The tag is: misp-galaxy:android="Maxit"

Table 251. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99

MdotM

MdotM is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MdotM"

Table 252. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99

Medialets

Medialets is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Medialets"

Table 253. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99

Meshidden

Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Meshidden"

Table 254. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99

Mesploit

Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.

The tag is: misp-galaxy:android="Mesploit"

Table 255. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99

Mesprank

Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Mesprank"

Table 256. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99

Meswatcherbox

Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.

The tag is: misp-galaxy:android="Meswatcherbox"

Table 257. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99

Miji

Miji is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Miji"

Table 258. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99

Milipnot

Milipnot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Milipnot"

Table 259. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99

MillennialMedia

MillennialMedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MillennialMedia"

Table 260. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99

Mitcad

Mitcad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mitcad"

Table 261. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99

MobClix

MobClix is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobClix"

Table 262. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99

MobFox

MobFox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobFox"

Table 263. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99

Mobidisplay

Mobidisplay is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobidisplay"

Table 264. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99

Mobigapp

Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.

The tag is: misp-galaxy:android="Mobigapp"

Table 265. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99

MobileBackup

MobileBackup is a spyware application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="MobileBackup"

Table 266. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99

Mobilespy

Mobilespy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Mobilespy"

Table 267. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99

Mobiletx

Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Mobiletx"

Table 268. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99

Mobinaspy

Mobinaspy is a spyware application for Android devices that can track the device’s location.

The tag is: misp-galaxy:android="Mobinaspy"

Table 269. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99

Mobus

Mobus is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobus"

Table 270. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99

MobWin

MobWin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobWin"

Table 271. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99

Mocore

Mocore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mocore"

Table 272. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99

Moghava

Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.

The tag is: misp-galaxy:android="Moghava"

Table 273. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99

Momark

Momark is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Momark"

Table 274. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99

Monitorello

Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Monitorello"

Table 275. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99

Moolah

Moolah is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Moolah"

Table 276. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99

MoPub

MoPub is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MoPub"

Table 277. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99

Morepaks

Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.

The tag is: misp-galaxy:android="Morepaks"

Table 278. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99

Nandrobox

Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.

The tag is: misp-galaxy:android="Nandrobox"

Table 279. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99

Netisend

Netisend is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Netisend"

Table 280. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99

Nickispy

Nickispy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Nickispy"

Table 281. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99

Notcompatible

Notcompatible is a Trojan horse for Android devices that acts as a proxy.

The tag is: misp-galaxy:android="Notcompatible"

Table 282. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99

Nuhaz

Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.

The tag is: misp-galaxy:android="Nuhaz"

Table 283. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99

Nyearleaker

Nyearleaker is a Trojan horse program for Android devices that steals information.

The tag is: misp-galaxy:android="Nyearleaker"

Table 284. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99

Obad

Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.

The tag is: misp-galaxy:android="Obad"

Table 285. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99

Oneclickfraud

Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.

The tag is: misp-galaxy:android="Oneclickfraud"

Table 286. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99

Opfake

Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.

The tag is: misp-galaxy:android="Opfake"

Table 287. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99

Opfake.B

Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.

The tag is: misp-galaxy:android="Opfake.B"

Table 288. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99

Ozotshielder

Ozotshielder is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Ozotshielder"

Table 289. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99

Pafloat

Pafloat is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pafloat"

Table 290. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99

PandaAds

PandaAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="PandaAds"

Table 291. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99

Pandbot

Pandbot is a Trojan horse for Android devices that may download more files onto the device.

The tag is: misp-galaxy:android="Pandbot"

Table 292. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99

Pdaspy

Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Pdaspy"

Table 293. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99

Penetho

Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.

The tag is: misp-galaxy:android="Penetho"

Table 294. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99

Perkel

Perkel is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Perkel"

Table 295. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99

Phimdropper

Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.

The tag is: misp-galaxy:android="Phimdropper"

Table 296. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99

Phospy

Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.

The tag is: misp-galaxy:android="Phospy"

Table 297. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99

Piddialer

Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.

The tag is: misp-galaxy:android="Piddialer"

Table 298. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99

Pikspam

Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.

The tag is: misp-galaxy:android="Pikspam"

Table 299. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99

Pincer

Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pincer"

Table 300. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99

Pirator

Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Pirator"

Table 301. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99

Pjapps

Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.

The tag is: misp-galaxy:android="Pjapps"

Table 302. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99

Pjapps.B

Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pjapps.B"

Table 303. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99

Pletora

Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.

The tag is: misp-galaxy:android="Pletora"

Table 304. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99

Poisoncake

Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.

The tag is: misp-galaxy:android="Poisoncake"

Table 305. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99

Pontiflex

Pontiflex is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pontiflex"

Table 306. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99

Positmob

Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.

The tag is: misp-galaxy:android="Positmob"

Table 307. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99

Premiumtext

Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.

The tag is: misp-galaxy:android="Premiumtext"

Table 308. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99

Pris

Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.

The tag is: misp-galaxy:android="Pris"

Table 309. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99

Qdplugin

Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Qdplugin"

Table 310. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99

Qicsomos

Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Qicsomos"

Table 311. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99

Qitmo

Qitmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Qitmo"

Table 312. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99

Rabbhome

Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Rabbhome"

Table 313. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99

Repane

Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.

The tag is: misp-galaxy:android="Repane"

Table 314. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99

Reputation.1

Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.1"

Table 315. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99

Reputation.2

Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.2"

Table 316. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99

Reputation.3

Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.3"

Table 317. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99

RevMob

RevMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="RevMob"

Table 318. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99

Roidsec

Roidsec is a Trojan horse for Android devices that steals confidential information.

The tag is: misp-galaxy:android="Roidsec"

Table 319. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99

Rootcager

Rootcager is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Rootcager"

Table 320. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99

Rootnik

Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.

The tag is: misp-galaxy:android="Rootnik"

Rootnik has relationships with:

  • similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"

Table 321. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99

Rufraud

Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Rufraud"

Table 322. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99

Rusms

Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Rusms"

Table 323. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99

Samsapo

Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.

The tag is: misp-galaxy:android="Samsapo"

Table 324. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99

Sandorat

Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.

The tag is: misp-galaxy:android="Sandorat"

Table 325. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99

Sberick

Sberick is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sberick"

Table 326. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99

Scartibro

Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.

The tag is: misp-galaxy:android="Scartibro"

Table 327. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99

Scipiex

Scipiex is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Scipiex"

Table 328. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99

Selfmite

Selfmite is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite"

Table 329. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99

Selfmite.B

Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite.B"

Table 330. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99

SellARing

SellARing is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SellARing"

Table 331. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99

SendDroid

SendDroid is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SendDroid"

Table 332. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99

Simhosy

Simhosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Simhosy"

Table 333. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99

Simplocker

Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker"

Table 334. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99

Simplocker.B

Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker.B"

Table 335. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99

Skullkey

Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.

The tag is: misp-galaxy:android="Skullkey"

Table 336. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99

Smaato

Smaato is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Smaato"

Table 337. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99

Smbcheck

Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.

The tag is: misp-galaxy:android="Smbcheck"

Table 338. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99

Smsblocker

Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.

The tag is: misp-galaxy:android="Smsblocker"

Table 339. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99

Smsbomber

Smsbomber is a program that can be used to send messages to contacts on the device.

The tag is: misp-galaxy:android="Smsbomber"

Table 340. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99

Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.

The tag is: misp-galaxy:android="Smslink"

Table 341. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99

Smspacem

Smspacem is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="Smspacem"

Table 342. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99

SMSReplicator

SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.

The tag is: misp-galaxy:android="SMSReplicator"

Table 343. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99

Smssniffer

Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.

The tag is: misp-galaxy:android="Smssniffer"

Table 344. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99

Smsstealer

Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smsstealer"

Table 345. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99

Smstibook

Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Smstibook"

Table 346. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99

Smszombie

Smszombie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smszombie"

Table 347. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99

Snadapps

Snadapps is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Snadapps"

Table 348. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99

Sockbot

Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.

The tag is: misp-galaxy:android="Sockbot"

Table 349. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99

Sockrat

Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Sockrat"

Sockrat has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 350. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99

Sofacy

Sofacy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sofacy"

Sofacy has relationships with:

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

Table 351. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99

Sosceo

Sosceo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Sosceo"

Table 352. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99

Spitmo

Spitmo is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Spitmo"

Table 353. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99

Spitmo.B

Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spitmo.B"

Table 354. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99

Spyagent

Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Spyagent"

Table 355. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99

Spybubble

Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Spybubble"

Table 356. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99

Spydafon

Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="Spydafon"

Table 357. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99

Spymple

Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Spymple"

Table 358. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99

Spyoo

Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spyoo"

Table 359. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99

Spytekcell

Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytekcell"

Table 360. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99

Spytrack

Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytrack"

Table 361. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99

Spywaller

Spywaller is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spywaller"

Table 362. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99

Stealthgenie

Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Stealthgenie"

Table 363. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99

Steek

Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.

The tag is: misp-galaxy:android="Steek"

Table 364. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99

Stels

Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Stels"

Table 365. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99

Stiniter

Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Stiniter"

Table 366. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99

Sumzand

Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Sumzand"

Table 367. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99

Sysecsms

Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sysecsms"

Table 368. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99

Tanci

Tanci is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tanci"

Table 369. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99

Tapjoy

Tapjoy is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tapjoy"

Table 370. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99

Tapsnake

Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.

The tag is: misp-galaxy:android="Tapsnake"

Table 371. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99

Tascudap

Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

The tag is: misp-galaxy:android="Tascudap"

Table 372. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99

Teelog

Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Teelog"

Table 373. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99

Temai

Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.

The tag is: misp-galaxy:android="Temai"

Table 374. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99

Tetus

Tetus is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Tetus"

Table 375. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99

Tgpush

Tgpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tgpush"

Table 376. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99

Tigerbot

Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Tigerbot"

Table 377. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99

Tonclank

Tonclank is a Trojan horse that steals information and may open a back door on Android devices.

The tag is: misp-galaxy:android="Tonclank"

Table 378. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99

Trogle

Trogle is a worm for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Trogle"

Table 379. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99

Twikabot

Twikabot is a Trojan horse for Android devices that attempts to steal information.

The tag is: misp-galaxy:android="Twikabot"

Table 380. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99

Uapush

Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Uapush"

Table 381. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99

Umeng

Umeng is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Umeng"

Table 382. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99

Updtbot

Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.

The tag is: misp-galaxy:android="Updtbot"

Table 383. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99

Upush

Upush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Upush"

Table 384. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99

Uracto

Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.

The tag is: misp-galaxy:android="Uracto"

Table 385. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99

Uranico

Uranico is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Uranico"

Table 386. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99

Usbcleaver

Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Usbcleaver"

Table 387. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Utchi

Utchi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Utchi"

Table 388. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99

Uten

Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.

The tag is: misp-galaxy:android="Uten"

Table 389. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99

Uupay

Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.

The tag is: misp-galaxy:android="Uupay"

Table 390. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99

Uxipp

Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Uxipp"

Table 391. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99

Vdloader

Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.

The tag is: misp-galaxy:android="Vdloader"

Table 392. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99

VDopia

VDopia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VDopia"

Table 393. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99

Virusshield

Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.

The tag is: misp-galaxy:android="Virusshield"

Table 394. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99

VServ

VServ is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VServ"

Table 395. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99

Walkinwat

Walkinwat is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Walkinwat"

Table 396. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99

Waps

Waps is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waps"

Table 397. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99

Waren

Waren is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waren"

Table 398. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99

Windseeker

Windseeker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Windseeker"

Table 399. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99

Wiyun

Wiyun is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wiyun"

Table 400. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99

Wooboo

Wooboo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wooboo"

Table 401. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99

Wqmobile

Wqmobile is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wqmobile"

Table 402. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99

YahooAds

YahooAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YahooAds"

Table 403. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99

Yatoot

Yatoot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Yatoot"

Table 404. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99

Yinhan

Yinhan is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Yinhan"

Table 405. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99

Youmi

Youmi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Youmi"

Table 406. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99

YuMe

YuMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YuMe"

Table 407. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99

Zeahache

Zeahache is a Trojan horse that elevates privileges on the compromised device.

The tag is: misp-galaxy:android="Zeahache"

Table 408. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99

ZertSecurity

ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.

The tag is: misp-galaxy:android="ZertSecurity"

Table 409. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99

ZestAdz

ZestAdz is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ZestAdz"

Table 410. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99

Zeusmitmo

Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Zeusmitmo"

Table 411. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99

SLocker

The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.

The tag is: misp-galaxy:android="SLocker"

SLocker is also known as:

  • SMSLocker

Table 412. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/

http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/

Loapi

A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.

The tag is: misp-galaxy:android="Loapi"

Table 413. Table References

Links

https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/

Podec

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

The tag is: misp-galaxy:android="Podec"

Table 414. Table References

Links

https://securelist.com/sms-trojan-bypasses-captcha/69169//

Chamois

Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.

The tag is: misp-galaxy:android="Chamois"

Table 415. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html

IcicleGum

IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.

The tag is: misp-galaxy:android="IcicleGum"

IcicleGum has relationships with:

  • similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"

Table 416. Table References

Links

https://blog.lookout.com/igexin-malicious-sdk

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

BreadSMS

BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.

The tag is: misp-galaxy:android="BreadSMS"

Table 417. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

JamSkunk

JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.

The tag is: misp-galaxy:android="JamSkunk"

Table 418. Table References

Links

https://blog.fosec.vn/malicious-applications-stayed-at-google-appstore-for-months-d8834ff4de59

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Expensive Wall

Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.

The tag is: misp-galaxy:android="Expensive Wall"

Table 419. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

BambaPurple

BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.

The tag is: misp-galaxy:android="BambaPurple"

Table 420. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

KoreFrog

KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.

The tag is: misp-galaxy:android="KoreFrog"

Table 421. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Gaiaphish

Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)

The tag is: misp-galaxy:android="Gaiaphish"

Table 422. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

RedDrop

RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.

The tag is: misp-galaxy:android="RedDrop"

Table 423. Table References

Links

https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/

HenBox

HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The tag is: misp-galaxy:android="HenBox"

Table 424. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/

MysteryBot

Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

The tag is: misp-galaxy:android="MysteryBot"

MysteryBot has relationships with:

  • similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"

Table 425. Table References

Links

https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

Skygofree

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.

The tag is: misp-galaxy:android="Skygofree"

Skygofree has relationships with:

  • similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"

Table 426. Table References

Links

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

BusyGasper

A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.

The tag is: misp-galaxy:android="BusyGasper"

Table 427. Table References

Links

https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/

Triout

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

The tag is: misp-galaxy:android="Triout"

Table 428. Table References

Links

https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/

Backdoor

A list of backdoor malware..

Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

raw-data

WellMess

Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.

The tag is: misp-galaxy:backdoor="WellMess"

WellMess has relationships with:

  • similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"

Table 429. Table References

Links

https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html

Rosenbridge

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.

The tag is: misp-galaxy:backdoor="Rosenbridge"

Table 430. Table References

Links

https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/

https://github.com/xoreaxeaxeax/rosenbridge

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf

Banker

A list of banker malware..

Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown - raw-data

Zeus

Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.

The tag is: misp-galaxy:banker="Zeus"

Zeus is also known as:

  • Zbot

Zeus has relationships with:

  • similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 431. Table References

Links

https://usa.kaspersky.com/resource-center/threats/zeus-virus

Vawtrak

Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.

The tag is: misp-galaxy:banker="Vawtrak"

Vawtrak is also known as:

  • Neverquest

Vawtrak has relationships with:

  • similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"

Table 432. Table References

Links

https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/

https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving

https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows

https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf

Dridex

Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

The tag is: misp-galaxy:banker="Dridex"

Dridex is also known as:

  • Feodo Version D

Dridex has relationships with:

  • similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"

Table 433. Table References

Links

https://blog.malwarebytes.com/detections/trojan-dridex/

https://feodotracker.abuse.ch/

Gozi

Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010

The tag is: misp-galaxy:banker="Gozi"

Gozi is also known as:

  • Ursnif

  • CRM

  • Snifula

  • Papras

Gozi has relationships with:

  • similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

Table 434. Table References

Links

https://www.secureworks.com/research/gozi

https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007

https://lokalhost.pl/gozi_tree.txt

Goziv2

Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.

The tag is: misp-galaxy:banker="Goziv2"

Goziv2 is also known as:

  • Prinimalka

Table 435. Table References

Links

https://krebsonsecurity.com/tag/gozi-prinimalka/

https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/

https://lokalhost.pl/gozi_tree.txt

Gozi ISFB

Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.

The tag is: misp-galaxy:banker="Gozi ISFB"

Gozi ISFB has relationships with:

  • similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 436. Table References

Links

https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak

https://lokalhost.pl/gozi_tree.txt

Dreambot

Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.

The tag is: misp-galaxy:banker="Dreambot"

Table 437. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

https://lokalhost.pl/gozi_tree.txt

IAP

Gozi ISFB variant

The tag is: misp-galaxy:banker="IAP"

IAP has relationships with:

  • similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 438. Table References

Links

https://lokalhost.pl/gozi_tree.txt

http://archive.is/I7hi8#selection-217.0-217.6

GozNym

GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

The tag is: misp-galaxy:banker="GozNym"

Table 439. Table References

Links

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

https://lokalhost.pl/gozi_tree.txt

Zloader Zeus

Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Zloader Zeus"

Zloader Zeus is also known as:

  • Zeus Terdot

Zloader Zeus has relationships with:

  • similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"

Table 440. Table References

Links

https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle

https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/

Zeus VM

Zeus variant that utilizes steganography in image files to retrieve configuration file.

The tag is: misp-galaxy:banker="Zeus VM"

Zeus VM is also known as:

  • VM Zeus

Zeus VM has relationships with:

  • similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"

Table 441. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/

https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/

Zeus Sphinx

Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.

The tag is: misp-galaxy:banker="Zeus Sphinx"

Zeus Sphinx has relationships with:

  • similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"

Table 442. Table References

Links

https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Panda Banker

Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Panda Banker"

Panda Banker is also known as:

  • Zeus Panda

Table 443. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

Zeus KINS

Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.

The tag is: misp-galaxy:banker="Zeus KINS"

Zeus KINS is also known as:

  • Kasper Internet Non-Security

  • Maple

Zeus KINS has relationships with:

  • similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"

Table 444. Table References

Links

https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/

https://github.com/nyx0/KINS

Chthonic

Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

The tag is: misp-galaxy:banker="Chthonic"

Chthonic is also known as:

  • Chtonic

Chthonic has relationships with:

  • similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"

Table 445. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan

https://securelist.com/chthonic-a-new-modification-of-zeus/68176/

Trickbot

Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan

The tag is: misp-galaxy:banker="Trickbot"

Trickbot is also known as:

  • Trickster

  • Trickloader

Trickbot has relationships with:

  • similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"

Table 446. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/

http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html

https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/

Dyre

Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.

The tag is: misp-galaxy:banker="Dyre"

Dyre is also known as:

  • Dyreza

Dyre has relationships with:

  • similar: misp-galaxy:mitre-enterprise-attack-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"

Table 447. Table References

Links

https://www.secureworks.com/research/dyre-banking-trojan

https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

Tinba

Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.

The tag is: misp-galaxy:banker="Tinba"

Tinba is also known as:

  • Zusy

  • TinyBanker

  • illi

Tinba has relationships with:

  • similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"

Table 448. Table References

Links

https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/

http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/

https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/

http://my.infotex.com/tiny-banker-trojan/

Geodo

Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.

The tag is: misp-galaxy:banker="Geodo"

Geodo is also known as:

  • Feodo Version C

  • Emotet

Geodo has relationships with:

  • similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Geodo" with estimative-language:likelihood-probability="likely"

Table 449. Table References

Links

https://feodotracker.abuse.ch/

http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/

https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/

https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/

https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet

https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/

Feodo

Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Feodo"

Feodo is also known as:

  • Bugat

  • Cridex

Feodo has relationships with:

  • similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Bugat" with estimative-language:likelihood-probability="likely"

Table 450. Table References

Links

https://securelist.com/dridex-a-history-of-evolution/78531/

https://feodotracker.abuse.ch/

http://stopmalvertising.com/rootkits/analysis-of-cridex.html

Ramnit

Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.

The tag is: misp-galaxy:banker="Ramnit"

Ramnit is also known as:

  • Nimnul

Ramnit has relationships with:

  • similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 451. Table References

Links

https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

Qakbot

Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.

The tag is: misp-galaxy:banker="Qakbot"

Qakbot is also known as:

  • Qbot

  • Pinkslipbot

Qakbot has relationships with:

  • similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

Table 452. Table References

Links

https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/

https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf

Corebot

Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Corebot"

Corebot has relationships with:

  • similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"

Table 453. Table References

Links

https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf

https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/

TinyNuke

TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="TinyNuke"

TinyNuke is also known as:

  • NukeBot

  • Nuclear Bot

  • MicroBankingTrojan

  • Xbot

TinyNuke has relationships with:

  • similar: misp-galaxy:mitre-mobile-attack-tool="Xbot - MOB-S0014" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"

Table 454. Table References

Links

https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/

https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/

https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596

https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html

Retefe

Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.

The tag is: misp-galaxy:banker="Retefe"

Retefe is also known as:

  • Tsukuba

  • Werdlod

Retefe has relationships with:

  • similar: misp-galaxy:malpedia="Retefe (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 455. Table References

Links

https://www.govcert.admin.ch/blog/33/the-retefe-saga

https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/

https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/

https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/

http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/

ReactorBot

ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="ReactorBot"

ReactorBot has relationships with:

  • similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"

Table 456. Table References

Links

http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html

https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under

http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html

http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Matrix Banker

Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="Matrix Banker"

Matrix Banker has relationships with:

  • similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"

Table 457. Table References

Links

https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Zeus Gameover

Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Zeus Gameover"

Table 458. Table References

Links

https://heimdalsecurity.com/blog/zeus-gameover/

https://www.us-cert.gov/ncas/alerts/TA14-150A

SpyEye

SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="SpyEye"

Table 459. Table References

Links

https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf

https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html

https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

Citadel

Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.

The tag is: misp-galaxy:banker="Citadel"

Citadel has relationships with:

  • similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"

Table 460. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/

https://krebsonsecurity.com/tag/citadel-trojan/

https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/

Atmos

Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Atmos"

Table 461. Table References

Links

https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/

http://www.xylibox.com/2016/02/citadel-0011-atmos.html

Ice IX

Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.

The tag is: misp-galaxy:banker="Ice IX"

Ice IX has relationships with:

  • similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"

Table 462. Table References

Links

https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ]

Zitmo

Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.

The tag is: misp-galaxy:banker="Zitmo"

Table 463. Table References

Links

https://securelist.com/zeus-in-the-mobile-for-android-10/29258/

Licat

Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011

The tag is: misp-galaxy:banker="Licat"

Licat is also known as:

  • Murofet

Licat has relationships with:

  • similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"

Table 464. Table References

Links

https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A

Skynet

Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.

The tag is: misp-galaxy:banker="Skynet"

Table 465. Table References

Links

https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/

IcedID

According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.

The tag is: misp-galaxy:banker="IcedID"

IcedID has relationships with:

  • similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"

Table 466. Table References

Links

https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/

https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

The tag is: misp-galaxy:banker="GratefulPOS"

GratefulPOS has relationships with:

  • similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"

Table 467. Table References

Links

https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

Dok

A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.

The tag is: misp-galaxy:banker="Dok"

Dok has relationships with:

  • similar: misp-galaxy:malpedia="Retefe (Windows)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 468. Table References

Links

https://objective-see.com/blog/blog_0x25.html#Dok

downAndExec

Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.

The tag is: misp-galaxy:banker="downAndExec"

Table 469. Table References

Links

https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/

Smominru

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.

The tag is: misp-galaxy:banker="Smominru"

Smominru is also known as:

  • Ismo

  • lsmo

Smominru has relationships with:

  • similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"

Table 470. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

DanaBot

It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)

The tag is: misp-galaxy:banker="DanaBot"

DanaBot has relationships with:

  • similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"

Table 471. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0

https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/

Backswap

The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload

The tag is: misp-galaxy:banker="Backswap"

Table 472. Table References

Links

https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

Bebloh

The tag is: misp-galaxy:banker="Bebloh"

Bebloh is also known as:

  • URLZone

  • Shiotob

Bebloh has relationships with:

  • similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"

Table 473. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A

https://www.symantec.com/security-center/writeup/2011-041411-0912-99

Banjori

The tag is: misp-galaxy:banker="Banjori"

Banjori is also known as:

  • MultiBanker 2

  • BankPatch

  • BackPatcher

Banjori has relationships with:

  • similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"

Table 474. Table References

Links

https://www.johannesbader.ch/2015/02/the-dga-of-banjori/

Qadars

The tag is: misp-galaxy:banker="Qadars"

Qadars has relationships with:

  • similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"

Table 475. Table References

Links

https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/

Sisron

The tag is: misp-galaxy:banker="Sisron"

Table 476. Table References

Links

https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Ranbyus

The tag is: misp-galaxy:banker="Ranbyus"

Ranbyus has relationships with:

  • similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"

Table 477. Table References

Links

https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Fobber

The tag is: misp-galaxy:banker="Fobber"

Fobber has relationships with:

  • similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"

Table 478. Table References

Links

https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks

Karius

Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.

The tag is: misp-galaxy:banker="Karius"

Karius has relationships with:

  • similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"

Table 479. Table References

Links

https://research.checkpoint.com/banking-trojans-development/

Kronos

Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.

The tag is: misp-galaxy:banker="Kronos"

Kronos has relationships with:

  • similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"

Table 480. Table References

Links

https://en.wikipedia.org/wiki/Kronos_(malware)

https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware

https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/

CamuBot

A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.

The tag is: misp-galaxy:banker="CamuBot"

CamuBot has relationships with:

  • similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"

Table 481. Table References

Links

https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ [https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ ]

Botnet

botnet galaxy.

Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

ADB.miner

A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.

The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.

Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.

The tag is: misp-galaxy:botnet="ADB.miner"

Table 482. Table References

Links

https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/

Bagle

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

The tag is: misp-galaxy:botnet="Bagle"

Bagle is also known as:

  • Beagle

  • Mitglieder

  • Lodeight

Bagle has relationships with:

  • similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"

Table 483. Table References

Links

https://en.wikipedia.org/wiki/Bagle_(computer_worm)

Marina Botnet

Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.

The tag is: misp-galaxy:botnet="Marina Botnet"

Marina Botnet is also known as:

  • Damon Briant

  • BOB.dc

  • Cotmonger

  • Hacktool.Spammer

  • Kraken

Marina Botnet has relationships with:

  • similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"

Table 484. Table References

Links

https://en.wikipedia.org/wiki/Botnet

Torpig

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.

The tag is: misp-galaxy:botnet="Torpig"

Torpig is also known as:

  • Sinowal

  • Anserin

Torpig has relationships with:

  • similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"

Table 485. Table References

Links

https://en.wikipedia.org/wiki/Torpig

Storm

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The tag is: misp-galaxy:botnet="Storm"

Storm is also known as:

  • Nuwar

  • Peacomm

  • Zhelatin

  • Dorf

  • Ecard

Table 486. Table References

Links

https://en.wikipedia.org/wiki/Storm_botnet

Rustock

The tag is: misp-galaxy:botnet="Rustock"

Rustock is also known as:

  • RKRustok

  • Costrat

Rustock has relationships with:

  • similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"

Table 487. Table References

Links

https://en.wikipedia.org/wiki/Rustock_botnet

Donbot

The tag is: misp-galaxy:botnet="Donbot"

Donbot is also known as:

  • Buzus

  • Bachsoy

Donbot has relationships with:

  • similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"

Table 488. Table References

Links

https://en.wikipedia.org/wiki/Donbot_botnet

Cutwail

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo

The tag is: misp-galaxy:botnet="Cutwail"

Cutwail is also known as:

  • Pandex

  • Mutant

Cutwail has relationships with:

  • similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"

Table 489. Table References

Links

https://en.wikipedia.org/wiki/Cutwail_botnet

Akbot

Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.

The tag is: misp-galaxy:botnet="Akbot"

Akbot has relationships with:

  • similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

Table 490. Table References

Links

https://en.wikipedia.org/wiki/Akbot

Srizbi

Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The tag is: misp-galaxy:botnet="Srizbi"

Srizbi is also known as:

  • Cbeplay

  • Exchanger

Table 491. Table References

Links

https://en.wikipedia.org/wiki/Srizbi_botnet

Lethic

The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.

The tag is: misp-galaxy:botnet="Lethic"

Lethic has relationships with:

  • similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"

Table 492. Table References

Links

https://en.wikipedia.org/wiki/Lethic_botnet

Xarvester

The tag is: misp-galaxy:botnet="Xarvester"

Xarvester is also known as:

  • Rlsloup

  • Pixoliz

Table 493. Table References

Links

https://krebsonsecurity.com/tag/xarvester/

Sality

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

The tag is: misp-galaxy:botnet="Sality"

Sality is also known as:

  • Sector

  • Kuku

  • Sality

  • SalLoad

  • Kookoo

  • SaliCode

  • Kukacka

Sality has relationships with:

  • similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"

Table 494. Table References

Links

https://en.wikipedia.org/wiki/Sality

Mariposa

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.

The tag is: misp-galaxy:botnet="Mariposa"

Table 495. Table References

Links

https://en.wikipedia.org/wiki/Mariposa_botnet

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

The tag is: misp-galaxy:botnet="Conficker"

Conficker is also known as:

  • DownUp

  • DownAndUp

  • DownAdUp

  • Kido

Conficker has relationships with:

  • similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"

Table 496. Table References

Links

https://en.wikipedia.org/wiki/Conficker

Waledac

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The tag is: misp-galaxy:botnet="Waledac"

Waledac is also known as:

  • Waled

  • Waledpak

Table 497. Table References

Links

https://en.wikipedia.org/wiki/Waledac_botnet

Maazben

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

The tag is: misp-galaxy:botnet="Maazben"

Table 498. Table References

Links

https://www.symantec.com/connect/blogs/evaluating-botnet-capacity

Onewordsub

The tag is: misp-galaxy:botnet="Onewordsub"

Table 499. Table References

Links

https://www.botnets.fr/wiki/OneWordSub

Gheg

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).

The tag is: misp-galaxy:botnet="Gheg"

Gheg is also known as:

  • Tofsee

  • Mondera

Gheg has relationships with:

  • similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"

Table 500. Table References

Links

https://www.cert.pl/en/news/single/tofsee-en/

Nucrypt

The tag is: misp-galaxy:botnet="Nucrypt"

Table 501. Table References

Links

https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en

Wopla

The tag is: misp-galaxy:botnet="Wopla"

Table 502. Table References

Links

https://www.botnets.fr/wiki.old/index.php/Wopla

Asprox

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.

The tag is: misp-galaxy:botnet="Asprox"

Asprox is also known as:

  • Badsrc

  • Aseljo

  • Danmec

  • Hydraflux

Asprox has relationships with:

  • similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"

Table 503. Table References

Links

https://en.wikipedia.org/wiki/Asprox_botnet

Spamthru

Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The tag is: misp-galaxy:botnet="Spamthru"

Spamthru is also known as:

  • Spam-DComServ

  • Covesmer

  • Xmiler

Table 504. Table References

Links

http://www.root777.com/security/analysis-of-spam-thru-botnet/

Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

The tag is: misp-galaxy:botnet="Gumblar"

Table 505. Table References

Links

https://en.wikipedia.org/wiki/Gumblar

BredoLab

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

The tag is: misp-galaxy:botnet="BredoLab"

BredoLab is also known as:

  • Oficla

BredoLab has relationships with:

  • similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"

Table 506. Table References

Links

https://en.wikipedia.org/wiki/Bredolab_botnet

Grum

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.

The tag is: misp-galaxy:botnet="Grum"

Grum is also known as:

  • Tedroo

  • Reddyb

Table 507. Table References

Links

https://en.wikipedia.org/wiki/Grum_botnet

Mega-D

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

The tag is: misp-galaxy:botnet="Mega-D"

Mega-D is also known as:

  • Ozdok

Table 508. Table References

Links

https://en.wikipedia.org/wiki/Mega-D_botnet

Kraken

The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.

The tag is: misp-galaxy:botnet="Kraken"

Kraken is also known as:

  • Kracken

Kraken has relationships with:

  • similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"

Table 509. Table References

Links

https://en.wikipedia.org/wiki/Kraken_botnet

Festi

The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.

The tag is: misp-galaxy:botnet="Festi"

Festi is also known as:

  • Spamnost

Table 510. Table References

Links

https://en.wikipedia.org/wiki/Festi_botnet

Vulcanbot

Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.

The tag is: misp-galaxy:botnet="Vulcanbot"

Table 511. Table References

Links

https://en.wikipedia.org/wiki/Vulcanbot

LowSec

The tag is: misp-galaxy:botnet="LowSec"

LowSec is also known as:

  • LowSecurity

  • FreeMoney

  • Ring0.Tools

TDL4

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).

The tag is: misp-galaxy:botnet="TDL4"

TDL4 is also known as:

  • TDSS

  • Alureon

TDL4 has relationships with:

  • similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"

Table 512. Table References

Links

https://en.wikipedia.org/wiki/Alureon#TDL-4

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

The tag is: misp-galaxy:botnet="Zeus"

Zeus is also known as:

  • Zbot

  • ZeuS

  • PRG

  • Wsnpoem

  • Gorhax

  • Kneber

Zeus has relationships with:

  • similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 513. Table References

Links

https://en.wikipedia.org/wiki/Zeus_(malware)

Kelihos

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

The tag is: misp-galaxy:botnet="Kelihos"

Kelihos is also known as:

  • Hlux

Kelihos has relationships with:

  • similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"

Table 514. Table References

Links

https://en.wikipedia.org/wiki/Kelihos_botnet

Ramnit

Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.

The tag is: misp-galaxy:botnet="Ramnit"

Ramnit has relationships with:

  • similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 515. Table References

Links

https://en.wikipedia.org/wiki/Botnet

Zer0n3t

The tag is: misp-galaxy:botnet="Zer0n3t"

Zer0n3t is also known as:

  • Fib3rl0g1c

  • Zer0n3t

  • Zer0Log1x

Chameleon

The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).

The tag is: misp-galaxy:botnet="Chameleon"

Table 516. Table References

Links

https://en.wikipedia.org/wiki/Chameleon_botnet

Mirai

Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.

The tag is: misp-galaxy:botnet="Mirai"

Mirai has relationships with:

  • similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Mirai (Windows)" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 517. Table References

Links

https://en.wikipedia.org/wiki/Mirai_(malware)

https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

XorDDoS

XOR DDOS is a Linux trojan used to perform large-scale DDoS

The tag is: misp-galaxy:botnet="XorDDoS"

Table 518. Table References

Links

https://en.wikipedia.org/wiki/Xor_DDoS

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

The tag is: misp-galaxy:botnet="Satori"

Satori is also known as:

  • Okiru

Satori has relationships with:

  • similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"

Table 519. Table References

Links

https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/

https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant

BetaBot

The tag is: misp-galaxy:botnet="BetaBot"

BetaBot has relationships with:

  • similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"

Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).

The tag is: misp-galaxy:botnet="Hajime"

Hajime has relationships with:

  • similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"

Table 520. Table References

Links

https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/

https://en.wikipedia.org/wiki/Hajime_(malware)

https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/

Muhstik

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

The tag is: misp-galaxy:botnet="Muhstik"

Table 521. Table References

Links

https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/

Hide and Seek

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The tag is: misp-galaxy:botnet="Hide and Seek"

Hide and Seek is also known as:

  • HNS

  • Hide 'N Seek

Hide and Seek has relationships with:

  • similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"

Table 522. Table References

Links

https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/

https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/

https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/

Mettle

Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

The tag is: misp-galaxy:botnet="Mettle"

Table 523. Table References

Links

https://thehackernews.com/2018/05/botnet-malware-hacking.html

Owari

IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED

The tag is: misp-galaxy:botnet="Owari"

Owari has relationships with:

  • similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 524. Table References

Links

https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

Brain Food

Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.

The tag is: misp-galaxy:botnet="Brain Food"

Table 525. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn

Pontoeb

The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding

The tag is: misp-galaxy:botnet="Pontoeb"

Pontoeb is also known as:

  • N0ise

Table 526. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Pontoeb.J

http://dataprotectioncenter.com/general/are-you-beta-testing-malware/

Trik Spam Botnet

The tag is: misp-galaxy:botnet="Trik Spam Botnet"

Trik Spam Botnet is also known as:

  • Trik Trojan

Table 527. Table References

Links

https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/

Madmax

The tag is: misp-galaxy:botnet="Madmax"

Madmax is also known as:

  • Mad Max

Madmax has relationships with:

  • similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"

Table 528. Table References

Links

https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml

Pushdo

The tag is: misp-galaxy:botnet="Pushdo"

Pushdo has relationships with:

  • similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"

Table 529. Table References

Links

https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/

Simda

The tag is: misp-galaxy:botnet="Simda"

Simda has relationships with:

  • similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"

Table 530. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA15-105A

Virut

The tag is: misp-galaxy:botnet="Virut"

Virut has relationships with:

  • similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"

Table 531. Table References

Links

https://en.wikipedia.org/wiki/Virut

Bamital

The tag is: misp-galaxy:botnet="Bamital"

Bamital is also known as:

  • Mdrop-CSK

  • Agent-OCF

Table 533. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital

https://www.symantec.com/security-center/writeup/2010-070108-5941-99

Gafgyt

Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The tag is: misp-galaxy:botnet="Gafgyt"

Gafgyt is also known as:

  • Bashlite

Gafgyt has relationships with:

  • similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"

Table 534. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.symantec.com/security-center/writeup/2014-100222-5658-99

Sora

Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.

The tag is: misp-galaxy:botnet="Sora"

Sora is also known as:

  • Mirai Sora

Sora has relationships with:

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

Table 535. Table References

Links

https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

Torii

we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

The tag is: misp-galaxy:botnet="Torii"

Torii has relationships with:

  • similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"

Table 536. Table References

Links

https://blog.avast.com/new-torii-botnet-threat-research

https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/

Persirai

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

The tag is: misp-galaxy:botnet="Persirai"

Persirai has relationships with:

  • similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"

Table 537. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

Chalubo

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

The tag is: misp-galaxy:botnet="Chalubo"

Table 538. Table References

Links

https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/

Branded Vulnerability

List of known vulnerabilities and attacks with a branding.

Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

Meltdown

Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.

The tag is: misp-galaxy:branded-vulnerability="Meltdown"

Spectre

Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.

The tag is: misp-galaxy:branded-vulnerability="Spectre"

Heartbleed

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.

The tag is: misp-galaxy:branded-vulnerability="Heartbleed"

Shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The tag is: misp-galaxy:branded-vulnerability="Shellshock"

Ghost

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

The tag is: misp-galaxy:branded-vulnerability="Ghost"

Stagefright

Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.

The tag is: misp-galaxy:branded-vulnerability="Stagefright"

Badlock

Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.

The tag is: misp-galaxy:branded-vulnerability="Badlock"

Dirty COW

Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.

The tag is: misp-galaxy:branded-vulnerability="Dirty COW"

POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

The tag is: misp-galaxy:branded-vulnerability="POODLE"

BadUSB

The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.

The tag is: misp-galaxy:branded-vulnerability="BadUSB"

ImageTragick

The tag is: misp-galaxy:branded-vulnerability="ImageTragick"

Blacknurse

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.

The tag is: misp-galaxy:branded-vulnerability="Blacknurse"

Cert EU GovSector

Cert EU GovSector.

Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Constituency

The tag is: misp-galaxy:cert-eu-govsector="Constituency"

EU-Centric

The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"

EU-nearby

The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"

World-class

The tag is: misp-galaxy:cert-eu-govsector="World-class"

Unknown

The tag is: misp-galaxy:cert-eu-govsector="Unknown"

Outside World

The tag is: misp-galaxy:cert-eu-govsector="Outside World"

Exploit-Kit

Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It’s not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

Exploit-Kit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Kafeine - Will Metcalf - KahuSecurity

Astrum

Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It’s notable by its use of Steganography

The tag is: misp-galaxy:exploit-kit="Astrum"

Astrum is also known as:

  • Stegano EK

Table 539. Table References

Links

http://malware.dontneedcoffee.com/2014/09/astrum-ek.html

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Underminer

Underminer EK is an exploit kit that seems to be used privately against users in Asia. Functionalities: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.

The tag is: misp-galaxy:exploit-kit="Underminer"

Underminer is also known as:

  • Underminer EK

Table 540. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/

http://bobao.360.cn/interref/detail/248.html

Fallout

Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.

The tag is: misp-galaxy:exploit-kit="Fallout"

Fallout is also known as:

  • Fallout

Fallout has relationships with:

  • dropped: misp-galaxy:ransomware="GandCrab" with estimative-language:likelihood-probability="almost-certain"

Table 541. Table References

Links

https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html

https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/

https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/

Bingo

Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia

The tag is: misp-galaxy:exploit-kit="Bingo"

Terror EK

Terror EK is built on Hunter, Sundown and RIG EK code

The tag is: misp-galaxy:exploit-kit="Terror EK"

Terror EK is also known as:

  • Blaze EK

  • Neptune EK

Table 542. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit—​More-like-Error-Exploit-Kit/

DealersChoice

DealersChoice is a Flash Player Exploit platform triggered by RTF.

DealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.

The tag is: misp-galaxy:exploit-kit="DealersChoice"

DealersChoice is also known as:

  • Sednit RTF EK

Table 543. Table References

Links

http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/

http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/

https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

DNSChanger

DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="DNSChanger"

DNSChanger is also known as:

  • RouterEK

Table 544. Table References

Links

http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Disdain

Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula

The tag is: misp-galaxy:exploit-kit="Disdain"

Table 545. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/

Kaixin

Kaixin is an exploit kit mainly seen behind compromised website in Asia

The tag is: misp-galaxy:exploit-kit="Kaixin"

Kaixin is also known as:

  • CK vip

Table 546. Table References

Links

http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/

http://www.kahusecurity.com/2012/new-chinese-exploit-pack/

MWI

Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it’s most often connected to semi-targeted attacks

The tag is: misp-galaxy:exploit-kit="MWI"

Table 548. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf

ThreadKit

ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017

The tag is: misp-galaxy:exploit-kit="ThreadKit"

Table 549. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

VenomKit

VenomKit is the name given to a kit sold since april 2017 as "Word 1day exploit builder" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the "Cobalt Gang"

The tag is: misp-galaxy:exploit-kit="VenomKit"

VenomKit is also known as:

  • Venom

Table 550. Table References

Links

https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

RIG

RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.

The tag is: misp-galaxy:exploit-kit="RIG"

RIG is also known as:

  • RIG 3

  • RIG-v

  • RIG 4

  • Meadgive

Table 551. Table References

Links

http://www.kahusecurity.com/2014/rig-exploit-pack/

https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/

https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

Sednit EK

Sednit EK is the exploit kit used by APT28

The tag is: misp-galaxy:exploit-kit="Sednit EK"

Sednit EK is also known as:

  • SedKit

Table 552. Table References

Links

http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/

http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

Sundown-P

Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017

The tag is: misp-galaxy:exploit-kit="Sundown-P"

Sundown-P is also known as:

  • Sundown-Pirate

  • CaptainBlack

Table 553. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/

Bizarro Sundown

Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features

The tag is: misp-galaxy:exploit-kit="Bizarro Sundown"

Bizarro Sundown is also known as:

  • Sundown-b

Table 554. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/

Hunter

Hunter EK is an evolution of 3Ros EK

The tag is: misp-galaxy:exploit-kit="Hunter"

Hunter is also known as:

  • 3ROS Exploit Kit

Hunter has relationships with:

  • similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

Table 555. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers

GreenFlash Sundown

GreenFlash Sundown is a variation of Bizarro Sundown without landing

The tag is: misp-galaxy:exploit-kit="GreenFlash Sundown"

GreenFlash Sundown is also known as:

  • Sundown-GF

Table 556. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

Angler

The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC

The tag is: misp-galaxy:exploit-kit="Angler"

Angler is also known as:

  • XXX

  • AEK

  • Axpergle

Table 557. Table References

Links

https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/

http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html

http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html

Archie

Archie EK

The tag is: misp-galaxy:exploit-kit="Archie"

Table 558. Table References

Links

https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit

BlackHole

The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch’s arrest (all activity since then is anecdotal and based on an old leak)

The tag is: misp-galaxy:exploit-kit="BlackHole"

BlackHole is also known as:

  • BHEK

BlackHole has relationships with:

  • similar: misp-galaxy:rat="BlackHole" with estimative-language:likelihood-probability="likely"

Table 559. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/

https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Bleeding Life

Bleeding Life is an exploit kit that became open source with its version 2

The tag is: misp-galaxy:exploit-kit="Bleeding Life"

Bleeding Life is also known as:

  • BL

  • BL2

Table 560. Table References

Links

http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/

http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html

Cool

The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013

The tag is: misp-galaxy:exploit-kit="Cool"

Cool is also known as:

  • CEK

  • Styxy Cool

Table 561. Table References

Links

http://malware.dontneedcoffee.com/2012/10/newcoolek.html

http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html

http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/

Fiesta

Fiesta Exploit Kit

The tag is: misp-galaxy:exploit-kit="Fiesta"

Fiesta is also known as:

  • NeoSploit

  • Fiexp

Table 562. Table References

Links

http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an

http://www.kahusecurity.com/2011/neosploit-is-back/

Empire

The Empire Pack is a variation of RIG operated by a load seller. It’s being fed by many traffic actors

The tag is: misp-galaxy:exploit-kit="Empire"

Empire is also known as:

  • RIG-E

Empire has relationships with:

  • similar: misp-galaxy:tool="Empire" with estimative-language:likelihood-probability="likely"

Table 563. Table References

Links

http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

FlashPack

FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version

The tag is: misp-galaxy:exploit-kit="FlashPack"

FlashPack is also known as:

  • FlashEK

  • SafePack

  • CritXPack

  • Vintage Pack

Table 564. Table References

Links

http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html

http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

Glazunov

Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit

The tag is: misp-galaxy:exploit-kit="Glazunov"

Table 565. Table References

Links

https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/

GrandSoft

GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017

The tag is: misp-galaxy:exploit-kit="GrandSoft"

GrandSoft is also known as:

  • StampEK

  • SofosFO

Table 566. Table References

Links

http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html

http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html

https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/

HanJuan

Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015

The tag is: misp-galaxy:exploit-kit="HanJuan"

Table 567. Table References

Links

http://www.malwaresigs.com/2013/10/14/unknown-ek/

https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/

http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack

https://twitter.com/kafeine/status/562575744501428226

Himan

Himan Exploit Kit

The tag is: misp-galaxy:exploit-kit="Himan"

Himan is also known as:

  • High Load

Table 568. Table References

Links

http://malware.dontneedcoffee.com/2013/10/HiMan.html

Impact

Impact EK

The tag is: misp-galaxy:exploit-kit="Impact"

Table 569. Table References

Links

http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html

Infinity

Infinity is an evolution of Redkit

The tag is: misp-galaxy:exploit-kit="Infinity"

Infinity is also known as:

  • Redkit v2.0

  • Goon

Table 570. Table References

Links

http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html

http://www.kahusecurity.com/2014/the-resurrection-of-redkit/

Lightsout

Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex

The tag is: misp-galaxy:exploit-kit="Lightsout"

Table 571. Table References

Links

http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html

http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html

http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html

Nebula

Nebula Exploit Kit has been built on Sundown source and features an internal TDS

The tag is: misp-galaxy:exploit-kit="Nebula"

Table 572. Table References

Links

http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

Neutrino

Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.

The tag is: misp-galaxy:exploit-kit="Neutrino"

Neutrino is also known as:

  • Job314

  • Neutrino Rebooted

  • Neutrino-v

Neutrino has relationships with:

  • similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"

Table 573. Table References

Links

http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

Niteris

Niteris was used mainly to target Russian.

The tag is: misp-galaxy:exploit-kit="Niteris"

Niteris is also known as:

  • CottonCastle

Table 574. Table References

Links

http://malware.dontneedcoffee.com/2014/06/cottoncastle.html

http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html

Nuclear

The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack

The tag is: misp-galaxy:exploit-kit="Nuclear"

Nuclear is also known as:

  • NEK

  • Nuclear Pack

  • Spartan

  • Neclu

Table 575. Table References

Links

http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/

Phoenix

Phoenix Exploit Kit

The tag is: misp-galaxy:exploit-kit="Phoenix"

Phoenix is also known as:

  • PEK

Table 576. Table References

Links

http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html

http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/

Private Exploit Pack

Private Exploit Pack

The tag is: misp-galaxy:exploit-kit="Private Exploit Pack"

Private Exploit Pack is also known as:

  • PEP

Table 577. Table References

Links

http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html

http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html

Redkit

Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer’s traffic

The tag is: misp-galaxy:exploit-kit="Redkit"

Table 578. Table References

Links

https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/

http://malware.dontneedcoffee.com/2012/05/inside-redkit.html

https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

Sakura

Sakura Exploit Kit appeared in 2012 and was adopted by several big actor

The tag is: misp-galaxy:exploit-kit="Sakura"

Table 579. Table References

Links

http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

SPL

SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV

The tag is: misp-galaxy:exploit-kit="SPL"

SPL is also known as:

  • SPL_Data

  • SPLNet

  • SPL2

Table 580. Table References

Links

http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/

Sundown

Sundown Exploit Kit is mainly built out of stolen code from other exploit kits

The tag is: misp-galaxy:exploit-kit="Sundown"

Sundown is also known as:

  • Beps

  • Xer

  • Beta

Table 581. Table References

Links

http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html

https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road

Sweet-Orange

Sweet Orange

The tag is: misp-galaxy:exploit-kit="Sweet-Orange"

Sweet-Orange is also known as:

  • SWO

  • Anogre

Table 582. Table References

Links

http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

WhiteHole

WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422

The tag is: misp-galaxy:exploit-kit="WhiteHole"

Table 584. Table References

Links

http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html

Unknown

Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.

The tag is: misp-galaxy:exploit-kit="Unknown"

Table 585. Table References

Links

https://twitter.com/kafeine

https://twitter.com/node5

https://twitter.com/kahusecurity

Malpedia

Malware galaxy cluster based on Malpedia..

Malpedia is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Davide Arcuri - Alexandre Dulaunoy - Steffen Enders - Andrea Garavaglia - Andras Iklody - Daniel Plohmann - Christophe Vandeplas

AndroRAT

Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

The tag is: misp-galaxy:malpedia="AndroRAT"

AndroRAT is also known as:

Table 587. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat

https://github.com/DesignativeDave/androrat

https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html

https://www.kaspersky.com/blog/mobile-malware-part-4/24290/

https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/

Asacub

The tag is: misp-galaxy:malpedia="Asacub"

Asacub is also known as:

Table 589. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub

https://securelist.com/the-rise-of-mobile-banker-asacub/87591/

BusyGasper

The tag is: misp-galaxy:malpedia="BusyGasper"

BusyGasper is also known as:

Table 593. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper

https://securelist.com/busygasper-the-unfriendly-spy/87627/

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

The tag is: misp-galaxy:malpedia="Catelites"

Catelites is also known as:

Table 594. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites

https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang

https://www.youtube.com/watch?v=1LOy0ZyjEOk

Clientor

The tag is: misp-galaxy:malpedia="Clientor"

Clientor is also known as:

Table 597. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor

https://twitter.com/LukasStefanko/status/1042297855602503681

Connic

The tag is: misp-galaxy:malpedia="Connic"

Connic is also known as:

  • SpyBanker

Table 598. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic

https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/

Cpuminer (Android)

The tag is: misp-galaxy:malpedia="Cpuminer (Android)"

Cpuminer (Android) is also known as:

Table 599. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer

https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/

DoubleLocker

The tag is: misp-galaxy:malpedia="DoubleLocker"

DoubleLocker is also known as:

Table 600. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker

https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Dvmap

The tag is: misp-galaxy:malpedia="Dvmap"

Dvmap is also known as:

Table 602. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap

https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/

ExoBot

The tag is: misp-galaxy:malpedia="ExoBot"

ExoBot is also known as:

Table 603. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot

https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/

FakeGram

The tag is: misp-galaxy:malpedia="FakeGram"

FakeGram is also known as:

  • FakeTGram

Table 604. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram

https://blog.talosintelligence.com/2018/11/persian-stalker.html

FlexiSpy (Android)

The tag is: misp-galaxy:malpedia="FlexiSpy (Android)"

FlexiSpy (Android) is also known as:

Table 605. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy

https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

FlexNet

The tag is: misp-galaxy:malpedia="FlexNet"

FlexNet is also known as:

  • gugi

Table 606. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet

https://twitter.com/LukasStefanko/status/886849558143279104

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

The tag is: misp-galaxy:malpedia="GPlayed"

GPlayed is also known as:

Table 609. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed

https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

https://blog.talosintelligence.com/2018/10/gplayerbanker.html

HeroRAT

The tag is: misp-galaxy:malpedia="HeroRAT"

HeroRAT is also known as:

Table 610. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat

https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

JadeRAT

The tag is: misp-galaxy:malpedia="JadeRAT"

JadeRAT is also known as:

Table 612. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat

https://blog.lookout.com/mobile-threat-jaderat

Koler

The tag is: misp-galaxy:malpedia="Koler"

Koler is also known as:

Table 614. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler

https://twitter.com/LukasStefanko/status/928262059875213312

Lazarus (Android)

The tag is: misp-galaxy:malpedia="Lazarus (Android)"

Lazarus (Android) is also known as:

Table 615. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.lazarus

https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/

Loki

The tag is: misp-galaxy:malpedia="Loki"

Loki is also known as:

Table 617. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki

http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/

LokiBot

Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.

The tag is: misp-galaxy:malpedia="LokiBot"

LokiBot is also known as:

Table 618. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot

https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

The tag is: misp-galaxy:malpedia="MysteryBot"

MysteryBot is also known as:

Table 621. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot

https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html[https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html]

Podec

The tag is: misp-galaxy:malpedia="Podec"

Podec is also known as:

Table 623. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec

https://securelist.com/jack-of-all-trades/83470/

Fake Pornhub

The tag is: misp-galaxy:malpedia="Fake Pornhub"

Fake Pornhub is also known as:

Table 625. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub

Raxir

The tag is: misp-galaxy:malpedia="Raxir"

Raxir is also known as:

Table 626. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir

https://twitter.com/PhysicalDrive0/statuses/798825019316916224

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

The tag is: misp-galaxy:malpedia="RedAlert2"

RedAlert2 is also known as:

Table 627. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores

https://clientsidedetection.com/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.

The tag is: misp-galaxy:malpedia="Retefe (Android)"

Retefe (Android) is also known as:

Table 628. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe

http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html

https://www.govcert.admin.ch/blog/33/the-retefe-saga

http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html

http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html

http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html

http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/

SMSspy

The tag is: misp-galaxy:malpedia="SMSspy"

SMSspy is also known as:

Table 634. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy

StealthAgent

The tag is: misp-galaxy:malpedia="StealthAgent"

StealthAgent is also known as:

Table 637. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent

https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF

Stealth Mango

The tag is: misp-galaxy:malpedia="Stealth Mango"

Stealth Mango is also known as:

Table 638. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango

https://www.lookout.com/info/stealth-mango-report-ty

Svpeng

The tag is: misp-galaxy:malpedia="Svpeng"

Svpeng is also known as:

Table 639. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng

https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/

Switcher

The tag is: misp-galaxy:malpedia="Switcher"

Switcher is also known as:

Table 640. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher

https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/

TemptingCedar Spyware

The tag is: misp-galaxy:malpedia="TemptingCedar Spyware"

TemptingCedar Spyware is also known as:

Table 642. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar

https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware

TinyZ

The tag is: misp-galaxy:malpedia="TinyZ"

TinyZ is also known as:

  • Catelites Android Bot

  • MarsElite Android Bot

Table 643. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz

http://blog.group-ib.com/cron

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

The tag is: misp-galaxy:malpedia="Triout"

Triout is also known as:

Table 646. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout

https://labs.bitdefender.com/wp-content/uploads/downloads/triout-the-malware-framework-for-android-that-packs-potent-spyware-capabilities/

Unidentified APK 001

The tag is: misp-galaxy:malpedia="Unidentified APK 001"

Unidentified APK 001 is also known as:

Table 647. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001

https://twitter.com/illegalFawn/status/826775250583035904

Unidentified APK 002

The tag is: misp-galaxy:malpedia="Unidentified APK 002"

Unidentified APK 002 is also known as:

Table 648. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002

XRat

The tag is: misp-galaxy:malpedia="XRat"

XRat is also known as:

Table 652. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat

https://blog.lookout.com/xrat-mobile-threat

Irc16

The tag is: misp-galaxy:malpedia="Irc16"

Irc16 is also known as:

Table 655. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16

https://news.drweb.com/show/?c=5&i=10193&lng=en

BCMPUPnP_Hunter

The tag is: misp-galaxy:malpedia="BCMPUPnP_Hunter"

BCMPUPnP_Hunter is also known as:

Table 657. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter

https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

The tag is: misp-galaxy:malpedia="Cpuminer (ELF)"

Cpuminer (ELF) is also known as:

Table 660. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer

https://github.com/pooler/cpuminer

Ebury

This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

The tag is: misp-galaxy:malpedia="Ebury"

Ebury is also known as:

Table 661. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury

https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/

https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy

https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Erebus (ELF)

The tag is: misp-galaxy:malpedia="Erebus (ELF)"

Erebus (ELF) is also known as:

Table 662. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus

https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/

ext4

The tag is: misp-galaxy:malpedia="ext4"

ext4 is also known as:

Table 663. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4

https://www.recordedfuture.com/chinese-cyberespionage-operations/

JenX

The tag is: misp-galaxy:malpedia="JenX"

JenX is also known as:

Table 669. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx

https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/

Lady

The tag is: misp-galaxy:malpedia="Lady"

Lady is also known as:

Table 671. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady

https://news.drweb.com/news/?i=10140&lng=en

MiKey

The tag is: misp-galaxy:malpedia="MiKey"

MiKey is also known as:

Table 672. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey

http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger

MrBlack

The tag is: misp-galaxy:malpedia="MrBlack"

MrBlack is also known as:

Table 676. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack

https://news.drweb.com/?i=5760&c=23&lng=en

PerlBot

The tag is: misp-galaxy:malpedia="PerlBot"

PerlBot is also known as:

  • DDoS Perl IrcBot

  • ShellBot

Table 679. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot

https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf

Rakos

The tag is: misp-galaxy:malpedia="Rakos"

Rakos is also known as:

Table 682. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos

http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/

Shishiga

The tag is: misp-galaxy:malpedia="Shishiga"

Shishiga is also known as:

Table 686. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga

https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/

Spamtorte

The tag is: misp-galaxy:malpedia="Spamtorte"

Spamtorte is also known as:

Table 687. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte

http://cyber.verint.com/resource/spamtorte-v2-investigating-a-multi-layered-spam-botnet/

SSHDoor

The tag is: misp-galaxy:malpedia="SSHDoor"

SSHDoor is also known as:

Table 688. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor

http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html

Torii

The tag is: misp-galaxy:malpedia="Torii"

Torii is also known as:

Table 690. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii

https://blog.avast.com/new-torii-botnet-threat-research

Trump Bot

The tag is: misp-galaxy:malpedia="Trump Bot"

Trump Bot is also known as:

Table 691. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot

http://paper.seebug.org/345/

Turla RAT

The tag is: misp-galaxy:malpedia="Turla RAT"

Turla RAT is also known as:

Table 693. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat

elf.wellmess

The tag is: misp-galaxy:malpedia="elf.wellmess"

elf.wellmess is also known as:

Table 696. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess

Xaynnalc

The tag is: misp-galaxy:malpedia="Xaynnalc"

Xaynnalc is also known as:

Table 699. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc

https://twitter.com/michalmalik/status/846368624147353601

Zollard

The tag is: misp-galaxy:malpedia="Zollard"

Zollard is also known as:

  • darlloz

Table 702. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard

https://blogs.cisco.com/security/the-internet-of-everything-including-malware

GuiInject

The tag is: misp-galaxy:malpedia="GuiInject"

GuiInject is also known as:

Table 704. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject

https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

The tag is: misp-galaxy:malpedia="WireLurker (iOS)"

WireLurker (iOS) is also known as:

Table 705. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

The tag is: misp-galaxy:malpedia="AdWind"

AdWind is also known as:

  • AlienSpy

  • Frutas

  • JBifrost

  • JSocket

  • Sockrat

  • UNRECOM

Table 706. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind

https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html

http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat

http://malware-traffic-analysis.net/2017/07/04/index.html

https://codemetrix.net/decrypting-adwind-jrat-jbifrost-trojan/

https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885

https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

The tag is: misp-galaxy:malpedia="jRAT"

jRAT is also known as:

  • Jacksbot

Table 708. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat

https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/

https://github.com/java-rat

https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered

jSpy

The tag is: misp-galaxy:malpedia="jSpy"

jSpy is also known as:

Table 709. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy

https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

The tag is: misp-galaxy:malpedia="Qarallax RAT"

Qarallax RAT is also known as:

Table 710. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat

http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/

https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …​), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

The tag is: misp-galaxy:malpedia="QRat"

QRat is also known as:

  • Quaverse RAT

Table 711. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat

https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—​Remote-Access-as-a-Service/

https://blogs.forcepoint.com/security-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market

https://www.digitrustgroup.com/java-rat-qrat/

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

The tag is: misp-galaxy:malpedia="Ratty"

Ratty is also known as:

Table 712. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty

https://github.com/shotskeber/Ratty

CACTUSTORCH

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

The tag is: misp-galaxy:malpedia="CACTUSTORCH"

CACTUSTORCH is also known as:

Table 715. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch

https://github.com/mdsecactivebreach/CACTUSTORCH

CryptoNight

WebAssembly-based crpyto miner.

The tag is: misp-galaxy:malpedia="CryptoNight"

CryptoNight is also known as:

Table 716. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight

https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec

https://twitter.com/JohnLaTwC/status/983011262731714565

Griffon

The tag is: misp-galaxy:malpedia="Griffon"

Griffon is also known as:

Table 718. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon

https://twitter.com/ItsReallyNick/status/1059898708286939136

magecart

The tag is: misp-galaxy:malpedia="magecart"

magecart is also known as:

Table 720. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart

https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

The tag is: misp-galaxy:malpedia="More_eggs"

More_eggs is also known as:

  • SpicyOmelette

Table 721. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs

https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/

https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/

https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html

https://asert.arbornetworks.com/double-the-infection-double-the-fun/

https://blog.morphisec.com/cobalt-gang-2.0

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

The tag is: misp-galaxy:malpedia="Maintools.js"

Maintools.js is also known as:

Table 725. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools

https://twitter.com/JohnLaTwC/status/915590893155098629

Unidentified 050 (APT32 Profiler)

The tag is: misp-galaxy:malpedia="Unidentified 050 (APT32 Profiler)"

Unidentified 050 (APT32 Profiler) is also known as:

Table 726. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_050

https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f

https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef

witchcoven

The tag is: misp-galaxy:malpedia="witchcoven"

witchcoven is also known as:

Table 727. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

Careto

The tag is: misp-galaxy:malpedia="Careto"

Careto is also known as:

  • Appetite

  • Mask

Table 729. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto

https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

CoinThief

The tag is: misp-galaxy:malpedia="CoinThief"

CoinThief is also known as:

Table 730. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief

https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

Coldroot RAT

The tag is: misp-galaxy:malpedia="Coldroot RAT"

Coldroot RAT is also known as:

Table 731. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat

https://objective-see.com/blog/blog_0x2A.html

CpuMeaner

The tag is: misp-galaxy:malpedia="CpuMeaner"

CpuMeaner is also known as:

Table 732. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner

https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/

Dummy

The tag is: misp-galaxy:malpedia="Dummy"

Dummy is also known as:

Table 737. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy

https://objective-see.com/blog/blog_0x32.html

EvilOSX

The tag is: misp-galaxy:malpedia="EvilOSX"

EvilOSX is also known as:

Table 738. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx

https://github.com/Marten4n6/EvilOSX

https://twitter.com/JohnLaTwC/status/966139336436498432

Kitmos

The tag is: misp-galaxy:malpedia="Kitmos"

Kitmos is also known as:

  • KitM

Table 745. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos

https://www.f-secure.com/weblog/archives/00002558.html

MacDownloader

The tag is: misp-galaxy:malpedia="MacDownloader"

MacDownloader is also known as:

Table 749. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader

https://iranthreats.github.io/resources/macdownloader-macos-malware/

MacInstaller

The tag is: misp-galaxy:malpedia="MacInstaller"

MacInstaller is also known as:

Table 750. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller

https://objective-see.com/blog/blog_0x16.html

MacSpy

The tag is: misp-galaxy:malpedia="MacSpy"

MacSpy is also known as:

Table 752. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy

https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

MacVX

The tag is: misp-galaxy:malpedia="MacVX"

MacVX is also known as:

Table 753. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx

https://objective-see.com/blog/blog_0x16.html

MaMi

The tag is: misp-galaxy:malpedia="MaMi"

MaMi is also known as:

Table 754. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami

https://objective-see.com/blog/blog_0x26.html

Mughthesec

The tag is: misp-galaxy:malpedia="Mughthesec"

Mughthesec is also known as:

Table 756. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec

https://objective-see.com/blog/blog_0x20.html

Patcher

The tag is: misp-galaxy:malpedia="Patcher"

Patcher is also known as:

  • Findzip

Table 759. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher

http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

The tag is: misp-galaxy:malpedia="Pwnet"

Pwnet is also known as:

Table 762. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet

https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/

systemd

General purpose backdoor

The tag is: misp-galaxy:malpedia="systemd"

systemd is also known as:

Table 764. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd

https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en

Winnti (OS X)

The tag is: misp-galaxy:malpedia="Winnti (OS X)"

Winnti (OS X) is also known as:

Table 766. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti

https://401trg.pw/winnti-evolution-going-open-source/

https://401trg.pw/an-update-on-winnti/

WSO

The tag is: misp-galaxy:malpedia="WSO"

WSO is also known as:

  • Webshell by Orb

Table 772. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/php.wso

https://github.com/wso-shell

https://securelist.com/energetic-bear-crouching-yeti/85345/

Silence DDoS

The tag is: misp-galaxy:malpedia="Silence DDoS"

Silence DDoS is also known as:

Table 773. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos

https://www.group-ib.com/resources/threat-research/silence.html

GhostMiner

The tag is: misp-galaxy:malpedia="GhostMiner"

GhostMiner is also known as:

Table 775. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer

https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless

PowerWare

The tag is: misp-galaxy:malpedia="PowerWare"

PowerWare is also known as:

Table 777. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware

https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

The tag is: misp-galaxy:malpedia="sLoad"

sLoad is also known as:

Table 781. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload

https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9

https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy

https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/

https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html

Tater PrivEsc

The tag is: misp-galaxy:malpedia="Tater PrivEsc"

Tater PrivEsc is also known as:

Table 782. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater

https://github.com/Kevin-Robertson/Tater

ThunderShell

The tag is: misp-galaxy:malpedia="ThunderShell"

ThunderShell is also known as:

Table 783. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell

https://github.com/Mr-Un1k0d3r/ThunderShell

WMImplant

The tag is: misp-galaxy:malpedia="WMImplant"

WMImplant is also known as:

Table 784. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant

https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

FlexiSpy (symbian)

The tag is: misp-galaxy:malpedia="FlexiSpy (symbian)"

FlexiSpy (symbian) is also known as:

Table 787. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy

https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

7ev3n

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

The tag is: misp-galaxy:malpedia="7ev3n"

7ev3n is also known as:

Table 788. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n

https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/

https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n

abantes

The tag is: misp-galaxy:malpedia="abantes"

abantes is also known as:

Table 791. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes

https://github.com/ElektroKill/AbantesTrojan

Abbath Banker

The tag is: misp-galaxy:malpedia="Abbath Banker"

Abbath Banker is also known as:

Table 792. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker

AcridRain

AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.

The tag is: misp-galaxy:malpedia="AcridRain"

AcridRain is also known as:

Table 793. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain

https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/

Acronym

The tag is: misp-galaxy:malpedia="Acronym"

Acronym is also known as:

Table 794. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym

https://www.arbornetworks.com/blog/asert/acronym-m-is-for-malware/

AdamLocker

Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.

The tag is: misp-galaxy:malpedia="AdamLocker"

AdamLocker is also known as:

Table 795. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016

https://twitter.com/JaromirHorejsi/status/813712587997249536

AdvisorsBot

AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.

The tag is: misp-galaxy:malpedia="AdvisorsBot"

AdvisorsBot is also known as:

Table 797. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot

https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot

Aldibot

According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.

This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.

This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.

This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

The tag is: misp-galaxy:malpedia="Aldibot"

Aldibot is also known as:

Table 801. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot

AlmaLocker

The tag is: misp-galaxy:malpedia="AlmaLocker"

AlmaLocker is also known as:

Table 806. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker

ALPC Local PrivEsc

The tag is: misp-galaxy:malpedia="ALPC Local PrivEsc"

ALPC Local PrivEsc is also known as:

Table 807. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe

https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

Alphabet Ransomware

The tag is: misp-galaxy:malpedia="Alphabet Ransomware"

Alphabet Ransomware is also known as:

Table 808. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware

https://twitter.com/JaromirHorejsi/status/813714602466877440

AlphaLocker

A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.

AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware’s author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.

AlphaLocker’s encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user’s computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.

To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.

The tag is: misp-galaxy:malpedia="AlphaLocker"

AlphaLocker is also known as:

Table 809. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker

https://blog.cylance.com/an-introduction-to-alphalocker

Alreay

The tag is: misp-galaxy:malpedia="Alreay"

Alreay is also known as:

Table 811. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay

https://securelist.com/blog/sas/77908/lazarus-under-the-hood/

Antilam

The tag is: misp-galaxy:malpedia="Antilam"

Antilam is also known as:

  • Latinus

Table 816. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam

Apocalipto

The tag is: misp-galaxy:malpedia="Apocalipto"

Apocalipto is also known as:

Table 817. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto

https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf

ArdaMax

The tag is: misp-galaxy:malpedia="ArdaMax"

ArdaMax is also known as:

Table 819. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax

Arik Keylogger

The tag is: misp-galaxy:malpedia="Arik Keylogger"

Arik Keylogger is also known as:

  • Aaron Keylogger

Table 821. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger

http://remote-keylogger.net/

https://www.invincea.com/2016/09/crimeware-as-a-service-goes-mainstream/

ARS VBS Loader

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

The tag is: misp-galaxy:malpedia="ARS VBS Loader"

ARS VBS Loader is also known as:

Table 823. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader

https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/

https://twitter.com/Racco42/status/1001374490339790849

https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/

AscentLoader

The tag is: misp-galaxy:malpedia="AscentLoader"

AscentLoader is also known as:

Table 824. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader

ASPC

The tag is: misp-galaxy:malpedia="ASPC"

ASPC is also known as:

Table 825. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc

Asprox

The tag is: misp-galaxy:malpedia="Asprox"

Asprox is also known as:

  • Aseljo

  • BadSrc

Table 826. Table References