forked from MISP/misp-galaxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
banker.json
525 lines (525 loc) · 23.5 KB
/
banker.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
{
"values": [
{
"meta": {
"refs": [
"https://usa.kaspersky.com/resource-center/threats/zeus-virus"
],
"synonyms": [
"Zbot"
],
"date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today."
},
"description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.",
"value": "Zeus"
},
{
"meta": {
"refs": [
"https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/",
"https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving",
"https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows",
"https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf"
],
"synonyms": [
"Neverquest"
],
"date": "Discovered early 2013"
},
"description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.",
"value": "Vawtrak"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/detections/trojan-dridex/",
"https://feodotracker.abuse.ch/"
],
"synonyms": [
"Feodo Version D"
],
"date": "Discovery in 2014, still active"
},
"description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.",
"value": "Dridex"
},
{
"meta": {
"refs": [
"https://www.secureworks.com/research/gozi",
"https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007",
"https://lokalhost.pl/gozi_tree.txt"
],
"synonyms": [
"Ursnif",
"CRM",
"Snifula",
"Papras"
],
"date": "First seen ~ 2007"
},
"description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010",
"value": "Gozi"
},
{
"meta": {
"refs": [
"https://krebsonsecurity.com/tag/gozi-prinimalka/",
"https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/",
"https://lokalhost.pl/gozi_tree.txt"
],
"synonyms": [
"Prinimalka"
],
"date": "Fall Oct. 2012 - Spring 2013"
},
"description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.",
"value": "Goziv2"
},
{
"meta": {
"refs": [
"https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature",
"https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
"https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak",
"https://lokalhost.pl/gozi_tree.txt"
],
"date": "Beginning 2010"
},
"description": "Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"value": "Gozi ISFB"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/",
"https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality",
"https://lokalhost.pl/gozi_tree.txt"
],
"date": "Since 2014"
},
"description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.",
"value": "Dreambot"
},
{
"meta": {
"refs": [
"https://lokalhost.pl/gozi_tree.txt",
"http://archive.is/I7hi8#selection-217.0-217.6"
],
"date": "Seen Autumn 2014"
},
"description": "Gozi ISFB variant ",
"value": "IAP"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
"https://lokalhost.pl/gozi_tree.txt"
],
"date": "Spring 2016"
},
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.",
"value": "GozNym"
},
{
"meta": {
"refs": [
"https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle",
"https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/"
],
"synonyms": [
"Zeus Terdot"
],
"date": "First seen in Fall 2016 and still active today."
},
"description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ",
"value": "Zloader Zeus"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/",
"https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/"
],
"synonyms": [
"VM Zeus"
],
"date": "First seen ~Feb 2014"
},
"description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ",
"value": "Zeus VM"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/"
],
"date": "First seen ~Aug 2015"
},
"description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.",
"value": "Zeus Sphinx"
},
{
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market",
"https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf"
],
"synonyms": [
"Zeus Panda"
],
"date": "First seen ~ Spring 2016"
},
"description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.",
"value": "Panda Banker"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/",
"https://github.com/nyx0/KINS"
],
"synonyms": [
"Kasper Internet Non-Security",
"Maple"
],
"date": "First seen 2014"
},
"description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ",
"value": "Zeus KINS"
},
{
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan",
"https://securelist.com/chthonic-a-new-modification-of-zeus/68176/"
],
"date": "First seen fall of 2014"
},
"description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.",
"value": "Chthonic"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/",
"https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/",
"http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html",
"https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/"
],
"synonyms": [
"Trickster",
"Trickloader"
],
"date": "Discovered Fall 2016"
},
"description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan",
"value": "Trickbot"
},
{
"meta": {
"refs": [
"https://www.secureworks.com/research/dyre-banking-trojan",
"https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/"
],
"synonyms": [
"Dyreza"
],
"date": "Discovered ~June 2014"
},
"description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.",
"value": "Dyre"
},
{
"meta": {
"refs": [
"https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/",
"http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/",
"https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/",
"http://my.infotex.com/tiny-banker-trojan/"
],
"synonyms": [
"Zusy",
"TinyBanker",
"illi"
],
"date": "Discovered ~Spring 2012"
},
"description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.",
"value": "Tinba"
},
{
"meta": {
"refs": [
"https://feodotracker.abuse.ch/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/"
],
"synonyms": [
"Feodo Version C",
"Emotet"
],
"date": "Discovered ~Summer 2014"
},
"description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.",
"value": "Geodo"
},
{
"meta": {
"refs": [
"https://securelist.com/dridex-a-history-of-evolution/78531/",
"https://feodotracker.abuse.ch/",
"http://stopmalvertising.com/rootkits/analysis-of-cridex.html"
],
"synonyms": [
"Bugat",
"Cridex"
],
"date": "Discovered ~September 2011"
},
"description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.",
"value": "Feodo"
},
{
"meta": {
"refs": [
"https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/"
],
"synonyms": [
"Nimnul"
],
"date": "Discovered ~2010."
},
"description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.",
"value": "Ramnit"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/",
"https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/",
"https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf"
],
"synonyms": [
"Qbot ",
"Pinkslipbot"
],
"date": "Discovered ~2007"
},
"description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.",
"value": "Qakbot"
},
{
"meta": {
"refs": [
"https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/",
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf",
"https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/"
],
"date": "Discovered ~Fall 2015"
},
"description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.",
"value": "Corebot"
},
{
"meta": {
"refs": [
"https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/",
"https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/",
"https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/",
"http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596",
"https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html"
],
"synonyms": [
"NukeBot",
"Nuclear Bot",
"MicroBankingTrojan",
"Xbot"
],
"date": "Discovered ~December 2016"
},
"description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.",
"value": "TinyNuke"
},
{
"meta": {
"refs": [
"https://www.govcert.admin.ch/blog/33/the-retefe-saga",
"https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/",
"https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/",
"https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/",
"http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/"
],
"synonyms": [
"Tsukuba",
"Werdlod"
],
"date": "Discovered in 2014"
},
"description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ",
"value": "Retefe"
},
{
"meta": {
"refs": [
"http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html",
"https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under",
"http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/"
],
"date": "Discovered ~early 2015"
},
"description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.",
"value": "ReactorBot"
},
{
"meta": {
"refs": [
"https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/"
],
"date": "Discovered ~Spring 2017"
},
"description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.",
"value": "Matrix Banker"
},
{
"meta": {
"refs": [
"https://heimdalsecurity.com/blog/zeus-gameover/",
"https://www.us-cert.gov/ncas/alerts/TA14-150A"
],
"date": "Discovered ~Sept. 2011"
},
"description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.",
"value": "Zeus Gameover"
},
{
"meta": {
"refs": [
"https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf",
"https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html",
"https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot"
],
"date": "Discovered early 2011"
},
"description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.",
"value": "SpyEye"
},
{
"meta": {
"refs": [
"https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/",
"https://krebsonsecurity.com/tag/citadel-trojan/",
"https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/"
],
"date": "Discovered ~January 2012"
},
"description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.",
"value": "Citadel"
},
{
"meta": {
"refs": [
"https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/",
"http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
],
"date": "Discovered ~spring 2016"
},
"description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.",
"value": "Atmos"
},
{
"meta": {
"refs": [
"https://securelist.com/ice-ix-not-cool-at-all/29111/ "
],
"date": "Discovered ~Fall 2011"
},
"description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.",
"value": "Ice IX"
},
{
"meta": {
"refs": [
"https://securelist.com/zeus-in-the-mobile-for-android-10/29258/"
],
"date": "Discovered ~end of 2010"
},
"description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.",
"value": "Zitmo"
},
{
"meta": {
"refs": [
"https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A",
"https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A"
],
"synonyms": [
"Murofet"
],
"date": "Discovered in 2010"
},
"description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011",
"value": "Licat"
},
{
"meta": {
"refs": [
"https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/"
],
"date": "Discovered end of 2012"
},
"description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.",
"value": "Skynet"
},
{
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"
],
"date": "Discovered in September 2017"
},
"description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
"value": "IcedID"
},
{
"value": "GratefulPOS",
"description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
"meta": {
"refs": [
"https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
]
}
},
{
"value": "Dok",
"description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#Dok"
]
}
},
{
"value": "downAndExec",
"description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/"
]
}
}
],
"version": 7,
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"description": "A list of banker malware.",
"authors": [
"Unknown"
],
"source": "Open Sources",
"type": "banker",
"name": "Banker"
}