Introduction

MISP logo

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.

Funding and Support

The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .

CIRCL logo

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

CEF funding

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

MISP galaxy

360.net Threat Actors

Known or estimated adversary groups as identified by 360.net..

360.net Threat Actors is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

360.net

CIA - APT-C-39

APT-C-39是一个来自美国,与NSA存在联系,系属于CIA的高规格,高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击

The tag is: misp-galaxy:360net-threat-actor="CIA - APT-C-39"

CIA - APT-C-39 is also known as:

Table 1. Table References

Links

https://apt.360.net/report/apts/96.html

https://apt.360.net/report/apts/12.html

海莲花 - APT-C-00

海莲花(OceanLotus)APT团伙是一个高度组织化的、专业化的境外国家级黑客组织,其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。

The tag is: misp-galaxy:360net-threat-actor="海莲花 - APT-C-00"

海莲花 - APT-C-00 is also known as:

  • OceanLotus

Table 2. Table References

Links

https://apt.360.net/report/apts/93.html

https://apt.360.net/report/apts/1.html

https://apt.360.net/report/apts/94.html

摩诃草 - APT-C-09

摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自南亚地区的境外APT组织,该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动,但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击,相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。

The tag is: misp-galaxy:360net-threat-actor="摩诃草 - APT-C-09"

摩诃草 - APT-C-09 is also known as:

  • HangOver

  • VICEROY TIGER

  • The Dropping Elephant

  • Patchwork

Table 3. Table References

Links

https://apt.360.net/report/apts/110.html

https://apt.360.net/report/apts/6.html

黄金鼠 - APT-C-27

从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台,截至目前我们一共捕获了Android平台攻击样本29个,Windows平台攻击样本55个,涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠,主要是考虑了以下几方面的因素:一是该组织在攻击过程中使用了大量的资源,说明该攻击组织资源丰富,而黄金鼠有长期在野外囤积粮食的习惯,字面上也有丰富的含义;二、该攻击组织通常是间隔一段时间出来攻击一次,这跟鼠有相通的地方;三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。

The tag is: misp-galaxy:360net-threat-actor="黄金鼠 - APT-C-27"

黄金鼠 - APT-C-27 is also known as:

Table 4. Table References

Links

https://apt.360.net/report/apts/100.html

https://apt.360.net/report/apts/98.html

https://apt.360.net/report/apts/26.html

Lazarus - APT-C-26

Lazarus组织是疑似来自朝鲜的APT组织,该组织长期对韩国、美国进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示,Lazarus组织与2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。

The tag is: misp-galaxy:360net-threat-actor="Lazarus - APT-C-26"

Lazarus - APT-C-26 is also known as:

  • APT38

Table 5. Table References

Links

https://apt.360.net/report/apts/9.html

https://apt.360.net/report/apts/101.html

https://apt.360.net/report/apts/90.html

黄金雕 - APT-C-34

黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克斯坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)。

The tag is: misp-galaxy:360net-threat-actor="黄金雕 - APT-C-34"

黄金雕 - APT-C-34 is also known as:

Table 6. Table References

Links

https://apt.360.net/report/apts/11.html

盲眼鹰 - APT-C-36

从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows,攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所,而哥伦比亚在足球领域又被称为南美雄鹰,结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则,我们将该组织命名为盲眼鹰(APT-C-36)。

The tag is: misp-galaxy:360net-threat-actor="盲眼鹰 - APT-C-36"

盲眼鹰 - APT-C-36 is also known as:

Table 7. Table References

Links

https://apt.360.net/report/apts/83.html

毒针 - APT-C-31

2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。

The tag is: misp-galaxy:360net-threat-actor="毒针 - APT-C-31"

毒针 - APT-C-31 is also known as:

Table 8. Table References

Links

https://apt.360.net/report/apts/10.html

ArmaRat - APT-C-33

2016年7月,360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马,入侵成功后攻击者可以完全控制用户手机,并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字,所以我们将该组织命名为“ArmaRat”。

The tag is: misp-galaxy:360net-threat-actor="ArmaRat - APT-C-33"

ArmaRat - APT-C-33 is also known as:

Table 9. Table References

Links

https://apt.360.net/report/apts/48.html

军刀狮 - APT-C-38

从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。

The tag is: misp-galaxy:360net-threat-actor="军刀狮 - APT-C-38"

军刀狮 - APT-C-38 is also known as:

Table 10. Table References

Links

https://apt.360.net/report/apts/30.html

拍拍熊 - APT-C-37

拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。

The tag is: misp-galaxy:360net-threat-actor="拍拍熊 - APT-C-37"

拍拍熊 - APT-C-37 is also known as:

Table 11. Table References

Links

https://apt.360.net/report/apts/28.html

https://apt.360.net/report/apts/103.html

人面狮 - APT-C-15

人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。

The tag is: misp-galaxy:360net-threat-actor="人面狮 - APT-C-15"

人面狮 - APT-C-15 is also known as:

Table 12. Table References

Links

https://apt.360.net/report/apts/8.html

美人鱼 - APT-C-07

美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。

The tag is: misp-galaxy:360net-threat-actor="美人鱼 - APT-C-07"

美人鱼 - APT-C-07 is also known as:

Table 13. Table References

Links

https://apt.360.net/report/apts/4.html

双尾蝎 - APT-C-23

2016年5月起至今,双尾蝎组织(APT-C-23)对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android,攻击范围主要为中东地区,截至目前我们一共捕获了Android样本24个,Windows样本19个,涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎,主要是考虑了以下几方面的因素:一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家,这种情况在以往并不多见;二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子,如海莲花,但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台,并且在Android平台上攻击如此活跃的APT组织,在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。

The tag is: misp-galaxy:360net-threat-actor="双尾蝎 - APT-C-23"

双尾蝎 - APT-C-23 is also known as:

Table 14. Table References

Links

https://apt.360.net/report/apts/27.html

蓝宝菇 - APT-C-12

从2011年开始持续至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。

The tag is: misp-galaxy:360net-threat-actor="蓝宝菇 - APT-C-12"

蓝宝菇 - APT-C-12 is also known as:

  • 核危机行动(Operation NuclearCrisis)

Table 15. Table References

Links

https://apt.360.net/report/apts/7.html

毒云藤 - APT-C-01

APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。

The tag is: misp-galaxy:360net-threat-actor="毒云藤 - APT-C-01"

毒云藤 - APT-C-01 is also known as:

  • 穷奇

  • 白海豚

  • 绿斑

Table 16. Table References

Links

https://apt.360.net/report/apts/2.html

Darkhotel - APT-C-06

Darkhotel(APT-C-06)是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel(暗黑客栈),是因为他们的一次攻击行动被曝光,主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。

The tag is: misp-galaxy:360net-threat-actor="Darkhotel - APT-C-06"

Darkhotel - APT-C-06 is also known as:

  • Luder

  • Karba

  • Tapaoux

  • Dubnium

  • SIG25

Table 17. Table References

Links

https://apt.360.net/report/apts/97.html

https://apt.360.net/report/apts/3.html

奇幻熊 - APT-C-20

APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞,相关恶意代码除了针对windows、Linux等PC操作系统,还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动,用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关,而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。

The tag is: misp-galaxy:360net-threat-actor="奇幻熊 - APT-C-20"

奇幻熊 - APT-C-20 is also known as:

  • APT28

  • Pawn Storm

  • Sofacy Group

  • Sednit

  • Fancy Bear

  • STRONTIUM

Table 18. Table References

Links

https://apt.360.net/report/apts/120.html

https://apt.360.net/report/apts/72.html

沙虫 - APT-C-13

沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动,还针对SCADA系统进行了攻击,研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明,针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话,那有可能幕后会关联到沙虫组织。

The tag is: misp-galaxy:360net-threat-actor="沙虫 - APT-C-13"

沙虫 - APT-C-13 is also known as:

  • SandWorm

Table 19. Table References

Links

https://apt.360.net/report/apts/87.html

https://apt.360.net/report/apts/69.html

肚脑虫 - APT-C-35

APT-C-35(肚脑虫)组织,又称Donot,是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光,随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月,至今活跃,攻击方式主要采用鱼叉邮件进行攻击。

The tag is: misp-galaxy:360net-threat-actor="肚脑虫 - APT-C-35"

肚脑虫 - APT-C-35 is also known as:

  • Donot

Table 20. Table References

Links

https://apt.360.net/report/apts/102.html

https://apt.360.net/report/apts/32.html

蔓灵花 - APT-C-08

蔓灵花组织利用鱼叉邮件以及系统漏洞等方式,主要攻击政府、电力和工业相关单位,以窃取敏感信息为主。国外样本最早出现在2013年11月,样本编译时间集中出现在2015年7月至2016年9月期间,2016年网络安全公司Forcepoint最早报告了这一组织,随后被多次发现,至今还非常活跃。

The tag is: misp-galaxy:360net-threat-actor="蔓灵花 - APT-C-08"

蔓灵花 - APT-C-08 is also known as:

Table 21. Table References

Links

https://apt.360.net/report/apts/5.html

索伦之眼 - APT-C-16

索伦之眼组织(APT-C-16),又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年,至今还非常活跃。该组织整个攻击过程中是高度隐蔽,且针对性极强,对特定目标采用定制的恶意程序或通信设施,不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式(Equation)媲美,其综合能力不弱于震网(Stuxnet)、火焰(Flame)等APT组织。

The tag is: misp-galaxy:360net-threat-actor="索伦之眼 - APT-C-16"

索伦之眼 - APT-C-16 is also known as:

  • Sauron

  • Strider

Table 22. Table References

Links

https://apt.360.net/report/apts/70.html

潜行者 - APT-C-30

潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。

The tag is: misp-galaxy:360net-threat-actor="潜行者 - APT-C-30"

潜行者 - APT-C-30 is also known as:

Table 23. Table References

Links

https://apt.360.net/report/apts/82.html

响尾蛇 - APT-C-24

APT-C-24又名Sidewinder、Rattlesnake等,是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标,主要攻击该国家/地区的政府、军事、外交等领域,最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初,该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击,通过近年来对该组织的追踪发现,Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标,因此需要更加地警惕小心。

The tag is: misp-galaxy:360net-threat-actor="响尾蛇 - APT-C-24"

响尾蛇 - APT-C-24 is also known as:

  • SideWinder

Table 24. Table References

Links

https://apt.360.net/report/apts/92.html

ScarCruft - APT-C-28

APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光,随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。

The tag is: misp-galaxy:360net-threat-actor="ScarCruft - APT-C-28"

ScarCruft - APT-C-28 is also known as:

  • APT37(Reaper)

  • Group123

Table 25. Table References

Links

https://apt.360.net/report/apts/79.html

Turla - APT-C-29

Turla Group又名Waterbug、Venomous Bear、Group 88等,是具有俄罗斯背景的APT组织,至少从1996年就开始活跃,2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家,攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域,因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。

The tag is: misp-galaxy:360net-threat-actor="Turla - APT-C-29"

Turla - APT-C-29 is also known as:

  • Turla, Waterbug, Venomous Bear, Group 88

Table 26. Table References

Links

https://apt.360.net/report/apts/81.html

https://apt.360.net/report/apts/88.html

Carbanak - APT-C-11

Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。

The tag is: misp-galaxy:360net-threat-actor="Carbanak - APT-C-11"

Carbanak - APT-C-11 is also known as:

  • Anunak

Table 27. Table References

Links

https://apt.360.net/report/apts/68.html

飞鲨 - APT-C-17

APT-C-17是360发现的一起APT攻击,我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。

The tag is: misp-galaxy:360net-threat-actor="飞鲨 - APT-C-17"

飞鲨 - APT-C-17 is also known as:

Table 28. Table References

Links

https://apt.360.net/report/apts/71.html

方程式 - APT-C-40

APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。

The tag is: misp-galaxy:360net-threat-actor="方程式 - APT-C-40"

方程式 - APT-C-40 is also known as:

Table 29. Table References

Links

https://apt.360.net/report/apts/85.html

透明部落 - APT-C-56

Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等,是具有巴基斯坦背景的APT组织,攻击活动影响范围较广,但主要攻击目标为印度国家的政府、军方等组织,此外为保障国家利益,巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现,近年来一直处于活跃状态。2020年初,利用有关印巴两国边境争端的诱饵文档,向印度政府组织、国防人员发起了鱼叉式网络攻击,也就是‘Honey Trap’行动,以此来窃取国家机密及敏感数据。

The tag is: misp-galaxy:360net-threat-actor="透明部落 - APT-C-56"

透明部落 - APT-C-56 is also known as:

  • APT36

  • ProjectM

  • C-Major

Table 30. Table References

Links

腾云蛇 - APT-C-61

APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。

The tag is: misp-galaxy:360net-threat-actor="腾云蛇 - APT-C-61"

腾云蛇 - APT-C-61 is also known as:

Table 31. Table References

Links

Kimsuky - APT-C-55

Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃,常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。

The tag is: misp-galaxy:360net-threat-actor="Kimsuky - APT-C-55"

Kimsuky - APT-C-55 is also known as:

Table 32. Table References

Links

卢甘斯克组织 - APT-C-46

2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。

The tag is: misp-galaxy:360net-threat-actor="卢甘斯克组织 - APT-C-46"

卢甘斯克组织 - APT-C-46 is also known as:

  • APT-C-46

Table 33. Table References

Links

https://apt.360.net/report/apts/169.html

旺刺组织 - APT-C-47

近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动,通过360高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露APT组织的攻击行动,攻击目标涉及与半岛地区有关联的实体机构和个人,根据360安全大脑的数据分析显示,该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露,我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织,并为其分配了新编号APT-C-47。

The tag is: misp-galaxy:360net-threat-actor="旺刺组织 - APT-C-47"

旺刺组织 - APT-C-47 is also known as:

  • APT-C-47

Table 34. Table References

Links

https://apt.360.net/report/apts/168.html

DomesticKitten - APT-C-50

Domestic Kitten(Check Point),别名APT-C-50。最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括中东某国内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是,所有攻击目标都是中东某国公民。伊斯兰革命卫队(IRGC)、情报部、内政部等中东某国政府机构可能为该组织提供支持。

The tag is: misp-galaxy:360net-threat-actor="DomesticKitten - APT-C-50"

DomesticKitten - APT-C-50 is also known as:

  • APT-C-50

Table 35. Table References

Links

https://apt.360.net/report/apts/166.html

SandCat - APT-C-32

SandCat由卡巴斯基在2018年首次发现,该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力,曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。

The tag is: misp-galaxy:360net-threat-actor="SandCat - APT-C-32"

SandCat - APT-C-32 is also known as:

Table 36. Table References

Links

CNC - APT-C-48

该组织于2019年发现,因为样本的pdb路径中有cnc_client字符,所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业,窃取情报。在攻击过程中会尝试使用Nday,并且有能够开发GO语言木马的开发人员。

The tag is: misp-galaxy:360net-threat-actor="CNC - APT-C-48"

CNC - APT-C-48 is also known as:

Table 37. Table References

Links

蓝色魔眼 - APT-C-41

APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。

The tag is: misp-galaxy:360net-threat-actor="蓝色魔眼 - APT-C-41"

蓝色魔眼 - APT-C-41 is also known as:

Table 38. Table References

Links

https://apt.360.net/report/apts/158.html

Machete - APT-C-43

El Machete由卡巴斯基首次发现,最早的攻击可以追溯至2014年,主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark,通过对该后门的深入挖掘和溯源分析,我们发现了一系列从2019年起便一直活跃的高级威胁行动,攻击者通过入侵委内瑞拉的多处军事机构,部署后门病毒,不间断的监控和窃取最新的军事机密。

The tag is: misp-galaxy:360net-threat-actor="Machete - APT-C-43"

Machete - APT-C-43 is also known as:

  • Machete

Table 39. Table References

Links

https://apt.360.net/report/apts/159.html

Gamaredon - APT-C-53

Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha,至少从2013年就开始活跃,是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来,该组成员也不断升级其技战术,开发定制化的恶意软件,这也加大了安全人员对其进行捕获与追踪的难度。

The tag is: misp-galaxy:360net-threat-actor="Gamaredon - APT-C-53"

Gamaredon - APT-C-53 is also known as:

Table 40. Table References

Links

北非狐 - APT-C-44

北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。

The tag is: misp-galaxy:360net-threat-actor="北非狐 - APT-C-44"

北非狐 - APT-C-44 is also known as:

Table 41. Table References

Links

https://apt.360.net/report/apts/157.html

WellMess - APT-C-42

WELLMESS组织是一个较新的俄语系境外APT组织,最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击,并且曾进行过超两年的供应链攻击,同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位,以窃取文件为主。

The tag is: misp-galaxy:360net-threat-actor="WellMess - APT-C-42"

WellMess - APT-C-42 is also known as:

Table 42. Table References

Links

https://apt.360.net/report/apts/136.html

Android

Android malware galaxy based on multiple open sources..

Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

CopyCat

CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.

The tag is: misp-galaxy:android="CopyCat"

Table 43. Table References

Links

https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/

Andr/Dropr-FH

Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.

The tag is: misp-galaxy:android="Andr/Dropr-FH"

Andr/Dropr-FH is also known as:

  • GhostCtrl

Andr/Dropr-FH has relationships with:

  • similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"

Table 44. Table References

Links

https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/

https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data

Judy

The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

The tag is: misp-galaxy:android="Judy"

Table 45. Table References

Links

http://fortune.com/2017/05/28/android-malware-judy/

https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

RedAlert2

The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.

The tag is: misp-galaxy:android="RedAlert2"

RedAlert2 has relationships with:

  • similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"

Table 46. Table References

Links

https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/

https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Tizi

Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.

The tag is: misp-galaxy:android="Tizi"

Table 47. Table References

Links

https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html

DoubleLocker

DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.

The tag is: misp-galaxy:android="DoubleLocker"

DoubleLocker has relationships with:

  • similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"

Table 48. Table References

Links

https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Svpeng

Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.

The tag is: misp-galaxy:android="Svpeng"

Svpeng is also known as:

  • Invisble Man

Svpeng has relationships with:

  • similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"

Table 49. Table References

Links

https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/

https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/

LokiBot

LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.

The tag is: misp-galaxy:android="LokiBot"

LokiBot has relationships with:

  • similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"

Table 50. Table References

Links

https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html[https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html]

BankBot

The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.

The tag is: misp-galaxy:android="BankBot"

BankBot has relationships with:

  • similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"

Table 51. Table References

Links

https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot

https://forensics.spreitzenbarth.de/android-malware/

https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers

Viking Horde

In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.

The tag is: misp-galaxy:android="Viking Horde"

Table 52. Table References

Links

http://www.alwayson-network.com/worst-types-android-malware-2016/

HummingBad

A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.

The tag is: misp-galaxy:android="HummingBad"

HummingBad has relationships with:

  • similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"

Table 53. Table References

Links

http://www.alwayson-network.com/worst-types-android-malware-2016/

http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Ackposts

Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.

The tag is: misp-galaxy:android="Ackposts"

Table 54. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99

Wirex

Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.

The tag is: misp-galaxy:android="Wirex"

Table 55. Table References

Links

https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/

http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/

WannaLocker

WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.

The tag is: misp-galaxy:android="WannaLocker"

Table 56. Table References

Links

https://fossbytes.com/wannalocker-ransomware-wannacry-android/

Switcher

Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.

The tag is: misp-galaxy:android="Switcher"

Switcher has relationships with:

  • similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"

Table 57. Table References

Links

http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/

https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/

https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99

Vibleaker

Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.

The tag is: misp-galaxy:android="Vibleaker"

Table 58. Table References

Links

http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml

ExpensiveWall

ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge

The tag is: misp-galaxy:android="ExpensiveWall"

Table 59. Table References

Links

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

http://fortune.com/2017/09/14/google-play-android-malware/

Cepsohord

Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.

The tag is: misp-galaxy:android="Cepsohord"

Table 60. Table References

Links

https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord

Fakem Rat

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

The tag is: misp-galaxy:android="Fakem Rat"

Table 61. Table References

Links

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf

https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

GM Bot

GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.

The tag is: misp-galaxy:android="GM Bot"

GM Bot is also known as:

  • Acecard

  • SlemBunk

  • Bankosy

GM Bot has relationships with:

  • similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 62. Table References

Links

https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide

Moplus

The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.

The tag is: misp-galaxy:android="Moplus"

Table 63. Table References

Links

http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

The tag is: misp-galaxy:android="Adwind"

Adwind is also known as:

  • AlienSpy

  • Frutas

  • Unrecom

  • Sockrat

  • Jsocket

  • jRat

  • Backdoor:Java/Adwind

Adwind has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 64. Table References

Links

https://securelist.com/adwind-faq/73660/

AdSms

Adsms is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="AdSms"

Table 65. Table References

Links

https://www.fortiguard.com/encyclopedia/virus/7389670

https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99

Airpush

Airpush is a very aggresive Ad - Network

The tag is: misp-galaxy:android="Airpush"

Airpush is also known as:

  • StopSMS

Table 66. Table References

Links

https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf

BeanBot

BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.

The tag is: misp-galaxy:android="BeanBot"

Table 67. Table References

Links

https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml

Kemoge

Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.

The tag is: misp-galaxy:android="Kemoge"

Kemoge has relationships with:

  • similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"

Table 68. Table References

Links

https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html

https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99

Ghost Push

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.

The tag is: misp-galaxy:android="Ghost Push"

Table 69. Table References

Links

https://en.wikipedia.org/wiki/Ghost_Push

https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push

BeNews

The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.

The tag is: misp-galaxy:android="BeNews"

Table 70. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/

Accstealer

Accstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Accstealer"

Table 71. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99

Acnetdoor

Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.

The tag is: misp-galaxy:android="Acnetdoor"

Table 72. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99

Acnetsteal

Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.

The tag is: misp-galaxy:android="Acnetsteal"

Table 73. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99

Actech

Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Actech"

Table 74. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99

AdChina

AdChina is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdChina"

Table 75. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99

Adfonic

Adfonic is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adfonic"

Table 76. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99

AdInfo

AdInfo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdInfo"

Table 77. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99

Adknowledge

Adknowledge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adknowledge"

Table 78. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99

AdMarvel

AdMarvel is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMarvel"

Table 79. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99

AdMob

AdMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMob"

Table 80. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99

Adrd

Adrd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Adrd"

Table 81. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99

Aduru

Aduru is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Aduru"

Table 82. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99

Adwhirl

Adwhirl is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwhirl"

Table 83. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99

Adwlauncher

Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Adwlauncher"

Table 84. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99

Adwo

Adwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwo"

Table 85. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99

Airad

Airad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Airad"

Table 86. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99

Alienspy

Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.

The tag is: misp-galaxy:android="Alienspy"

Table 87. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99

AmazonAds

AmazonAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AmazonAds"

Table 88. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99

Answerbot

Answerbot is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Answerbot"

Table 89. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99

Antammi

Antammi is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Antammi"

Table 90. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99

Apkmore

Apkmore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apkmore"

Table 91. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99

Aplog

Aplog is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Aplog"

Table 92. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99

Appenda

Appenda is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Appenda"

Table 93. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99

Apperhand

Apperhand is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apperhand"

Table 94. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99

Appleservice

Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Appleservice"

Table 95. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99

AppLovin

AppLovin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AppLovin"

Table 96. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99

Arspam

Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.

The tag is: misp-galaxy:android="Arspam"

Table 97. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99

Aurecord

Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Aurecord"

Table 98. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99

Backapp

Backapp is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Backapp"

Table 99. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99

Backdexer

Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.

The tag is: misp-galaxy:android="Backdexer"

Table 100. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99

Backflash

Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Backflash"

Table 101. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99

Backscript

Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.

The tag is: misp-galaxy:android="Backscript"

Table 102. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99

Badaccents

Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.

The tag is: misp-galaxy:android="Badaccents"

Table 103. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99

Badpush

Badpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Badpush"

Table 104. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99

Ballonpop

Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Ballonpop"

Table 105. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99

Bankosy

Bankosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Bankosy"

Bankosy has relationships with:

  • similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 106. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99

Bankun

Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.

The tag is: misp-galaxy:android="Bankun"

Table 107. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99

Basebridge

Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Basebridge"

Table 108. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99

Basedao

Basedao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Basedao"

Table 109. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99

Batterydoctor

Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.

The tag is: misp-galaxy:android="Batterydoctor"

Table 110. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99

Beaglespy

Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Beaglespy"

Table 111. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99

Becuro

Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Becuro"

Table 112. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99

Beita

Beita is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Beita"

Table 113. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99

Bgserv

Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Bgserv"

Table 114. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99

Biigespy

Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Biigespy"

Table 115. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99

Bmaster

Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Bmaster"

Table 116. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

Bossefiv

Bossefiv is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Bossefiv"

Table 117. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99

Boxpush

Boxpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Boxpush"

Table 118. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99

Burstly

Burstly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Burstly"

Table 119. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99

Buzzcity

Buzzcity is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Buzzcity"

Table 120. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99

ByPush

ByPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ByPush"

Table 121. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99

Cajino

Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Cajino"

Table 122. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99

Casee

Casee is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Casee"

Table 123. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99

Catchtoken

Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Catchtoken"

Table 124. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99

Cauly

Cauly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cauly"

Table 125. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99

Cellshark

Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Cellshark"

Table 126. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99

Centero

Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Centero"

Table 127. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99

Chuli

Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.

The tag is: misp-galaxy:android="Chuli"

Table 128. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99

Citmo

Citmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Citmo"

Table 129. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99

Claco

Claco is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Claco"

Table 130. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99

Clevernet

Clevernet is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Clevernet"

Table 131. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99

Cnappbox

Cnappbox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cnappbox"

Table 132. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99

Cobblerone

Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.

The tag is: misp-galaxy:android="Cobblerone"

Table 133. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99

Coolpaperleak

Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Coolpaperleak"

Table 134. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99

Coolreaper

Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.

The tag is: misp-galaxy:android="Coolreaper"

Table 135. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99

Cosha

Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Cosha"

Table 136. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99

Counterclank

Counterclank is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Counterclank"

Table 137. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99

Crazymedia

Crazymedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Crazymedia"

Table 138. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99

Crisis

Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Crisis"

Crisis has relationships with:

  • similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"

Table 139. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99

Crusewind

Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Crusewind"

Table 140. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99

Dandro

Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.

The tag is: misp-galaxy:android="Dandro"

Table 141. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99

Daoyoudao

Daoyoudao is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Daoyoudao"

Table 142. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99

Deathring

Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Deathring"

Table 143. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99

Deeveemap

Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Deeveemap"

Table 144. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99

Dendoroid

Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.

The tag is: misp-galaxy:android="Dendoroid"

Table 145. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99

Dengaru

Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.

The tag is: misp-galaxy:android="Dengaru"

Table 146. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99

Diandong

Diandong is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Diandong"

Table 147. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99

Dianjin

Dianjin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dianjin"

Table 148. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99

Dogowar

Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.

The tag is: misp-galaxy:android="Dogowar"

Table 149. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99

Domob

Domob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Domob"

Table 150. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99

Dougalek

Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.

The tag is: misp-galaxy:android="Dougalek"

Table 151. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99

Dowgin

Dowgin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dowgin"

Table 152. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99

Droidsheep

Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.

The tag is: misp-galaxy:android="Droidsheep"

Table 153. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99

Dropdialer

Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Dropdialer"

Table 154. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99

Dupvert

Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.

The tag is: misp-galaxy:android="Dupvert"

Table 155. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99

Dynamicit

Dynamicit is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dynamicit"

Table 156. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99

Ecardgrabber

Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.

The tag is: misp-galaxy:android="Ecardgrabber"

Table 157. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99

Ecobatry

Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Ecobatry"

Table 158. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99

Enesoluty

Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Enesoluty"

Table 159. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99

Everbadge

Everbadge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Everbadge"

Table 160. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99

Ewalls

Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.

The tag is: misp-galaxy:android="Ewalls"

Table 161. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99

Exprespam

Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.

The tag is: misp-galaxy:android="Exprespam"

Table 162. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99

Fakealbums

Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.

The tag is: misp-galaxy:android="Fakealbums"

Table 163. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99

Fakeangry

Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Fakeangry"

Table 164. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99

Fakeapp

Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.

The tag is: misp-galaxy:android="Fakeapp"

Table 165. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99

Fakebanco

Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.

The tag is: misp-galaxy:android="Fakebanco"

Table 166. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99

Fakebank

Fakebank is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank"

Table 167. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99

Fakebank.B

Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank.B"

Table 168. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99

Fakebok

Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.

The tag is: misp-galaxy:android="Fakebok"

Table 169. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99

Fakedaum

Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakedaum"

Table 170. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99

Fakedefender

Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender"

Table 171. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99

Fakedefender.B

Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender.B"

Table 172. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99

Fakedown

Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.

The tag is: misp-galaxy:android="Fakedown"

Table 173. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99

Fakeflash

Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.

The tag is: misp-galaxy:android="Fakeflash"

Table 174. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99

Fakegame

Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakegame"

Table 175. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99

Fakeguard

Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakeguard"

Table 176. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99

Fakejob

Fakejob is a Trojan horse for Android devices that redirects users to scam websites.

The tag is: misp-galaxy:android="Fakejob"

Table 177. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99

Fakekakao

Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.

The tag is: misp-galaxy:android="Fakekakao"

Table 178. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99

Fakelemon

Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.

The tag is: misp-galaxy:android="Fakelemon"

Table 179. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99

Fakelicense

Fakelicense is a Trojan horse that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Fakelicense"

Table 180. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99

Fakelogin

Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakelogin"

Table 181. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99

FakeLookout

FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="FakeLookout"

Table 182. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99

FakeMart

FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.

The tag is: misp-galaxy:android="FakeMart"

Table 183. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99

Fakemini

Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.

The tag is: misp-galaxy:android="Fakemini"

Table 184. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99

Fakemrat

Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakemrat"

Table 185. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

Fakeneflic

Fakeneflic is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fakeneflic"

Table 186. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99

Fakenotify

Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.

The tag is: misp-galaxy:android="Fakenotify"

Table 187. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99

Fakepatch

Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.

The tag is: misp-galaxy:android="Fakepatch"

Table 188. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99

Fakeplay

Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Fakeplay"

Table 189. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99

Fakescarav

Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakescarav"

Table 190. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99

Fakesecsuit

Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakesecsuit"

Table 191. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99

Fakesucon

Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Fakesucon"

Table 192. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99

Faketaobao

Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Faketaobao"

Table 193. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

Faketaobao.B

Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.

The tag is: misp-galaxy:android="Faketaobao.B"

Table 194. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99

Faketoken

Faketoken is a Trojan horse that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Faketoken"

Table 195. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99

http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/

Fakeupdate

Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.

The tag is: misp-galaxy:android="Fakeupdate"

Table 196. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99

Fakevoice

Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.

The tag is: misp-galaxy:android="Fakevoice"

Table 197. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99

Farmbaby

Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Farmbaby"

Table 198. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99

Fauxtocopy

Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.

The tag is: misp-galaxy:android="Fauxtocopy"

Table 199. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99

Feiwo

Feiwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Feiwo"

Table 200. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99

FindAndCall

FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.

The tag is: misp-galaxy:android="FindAndCall"

Table 201. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99

Finfish

Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Finfish"

Table 202. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99

Fireleaker

Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fireleaker"

Table 203. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99

Fitikser

Fitikser is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fitikser"

Table 204. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99

Flexispy

Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Flexispy"

Table 205. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99

Fokonge

Fokonge is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fokonge"

Table 206. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99

FoncySMS

FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.

The tag is: misp-galaxy:android="FoncySMS"

Table 207. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99

Frogonal

Frogonal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Frogonal"

Table 208. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99

Ftad

Ftad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ftad"

Table 209. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99

Funtasy

Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.

The tag is: misp-galaxy:android="Funtasy"

Table 210. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99

GallMe

GallMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="GallMe"

Table 211. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99

Gamex

Gamex is a Trojan horse for Android devices that downloads further threats.

The tag is: misp-galaxy:android="Gamex"

Table 212. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99

Gappusin

Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.

The tag is: misp-galaxy:android="Gappusin"

Table 213. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99

Gazon

Gazon is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Gazon"

Table 214. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99

Geinimi

Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Geinimi"

Table 215. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99

Generisk

Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.

The tag is: misp-galaxy:android="Generisk"

Table 216. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99

Genheur

Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

The tag is: misp-galaxy:android="Genheur"

Table 217. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99

Genpush

Genpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Genpush"

Table 218. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99

GeoFake

GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.

The tag is: misp-galaxy:android="GeoFake"

Table 219. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99

Geplook

Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.

The tag is: misp-galaxy:android="Geplook"

Table 220. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99

Getadpush

Getadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Getadpush"

Table 221. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99

Ggtracker

Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.

The tag is: misp-galaxy:android="Ggtracker"

Table 222. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99

Ghostpush

Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Ghostpush"

Table 223. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99

Gmaster

Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Gmaster"

Table 224. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99

Godwon

Godwon is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Godwon"

Table 225. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99

Golddream

Golddream is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Golddream"

Table 226. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99

Goldeneagle

Goldeneagle is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Goldeneagle"

Table 227. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99

Golocker

Golocker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Golocker"

Table 228. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99

Gomal

Gomal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Gomal"

Table 229. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99

Gonesixty

Gonesixty is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonesixty"

Table 230. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99

Gonfu

Gonfu is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu"

Table 231. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99

Gonfu.B

Gonfu.B is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu.B"

Table 232. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99

Gonfu.C

Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.

The tag is: misp-galaxy:android="Gonfu.C"

Table 233. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99

Gonfu.D

Gonfu.D is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Gonfu.D"

Table 234. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99

Gooboot

Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.

The tag is: misp-galaxy:android="Gooboot"

Table 235. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99

Goodadpush

Goodadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Goodadpush"

Table 236. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99

Greystripe

Greystripe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Greystripe"

Table 237. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99

Gugespy

Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Gugespy"

Table 238. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99

Gugespy.B

Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Gugespy.B"

Table 239. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99

Gupno

Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.

The tag is: misp-galaxy:android="Gupno"

Table 240. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99

Habey

Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Habey"

Table 241. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99

Handyclient

Handyclient is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Handyclient"

Table 242. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99

Hehe

Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.

The tag is: misp-galaxy:android="Hehe"

Table 243. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99

Hesperbot

Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="Hesperbot"

Table 244. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99

Hippo

Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo"

Table 245. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99

Hippo.B

Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo.B"

Table 246. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99

IadPush

IadPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="IadPush"

Table 247. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99

iBanking

iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="iBanking"

Table 248. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99

Iconosis

Iconosis is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosis"

Table 249. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99

Iconosys

Iconosys is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosys"

Table 250. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99

Igexin

Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,

The tag is: misp-galaxy:android="Igexin"

Igexin is also known as:

  • IcicleGum

Igexin has relationships with:

  • similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"

Table 251. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://blog.lookout.com/igexin-malicious-sdk

ImAdPush

ImAdPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ImAdPush"

Table 252. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99

InMobi

InMobi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="InMobi"

Table 253. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99

Jifake

Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Jifake"

Table 254. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99

Jollyserv

Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Jollyserv"

Table 255. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99

Jsmshider

Jsmshider is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Jsmshider"

Table 256. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99

Ju6

Ju6 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ju6"

Table 257. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99

Jumptap

Jumptap is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jumptap"

Table 258. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99

Jzmob

Jzmob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jzmob"

Table 259. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99

Kabstamper

Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.

The tag is: misp-galaxy:android="Kabstamper"

Table 260. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99

Kidlogger

Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Kidlogger"

Table 261. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99

Kielog

Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.

The tag is: misp-galaxy:android="Kielog"

Table 262. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99

Kituri

Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Kituri"

Table 263. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99

Kranxpay

Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.

The tag is: misp-galaxy:android="Kranxpay"

Table 264. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99

Krysanec

Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Krysanec"

Table 265. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99

Kuaidian360

Kuaidian360 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuaidian360"

Table 266. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99

Kuguo

Kuguo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuguo"

Table 267. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99

Lastacloud

Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Lastacloud"

Table 268. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99

Laucassspy

Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Laucassspy"

Table 269. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99

Lifemonspy

Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.

The tag is: misp-galaxy:android="Lifemonspy"

Table 270. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99

Lightdd

Lightdd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Lightdd"

Table 271. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99

Loaderpush

Loaderpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Loaderpush"

Table 272. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99

Locaspy

Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.

The tag is: misp-galaxy:android="Locaspy"

Table 273. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99

Lockdroid.E

Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.E"

Table 274. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99

Lockdroid.F

Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.F"

Table 275. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99

Lockdroid.G

Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.G"

Table 276. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99

Lockdroid.H

Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.H"

Table 277. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99

Lockscreen

Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.

The tag is: misp-galaxy:android="Lockscreen"

Table 278. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99

LogiaAd

LogiaAd is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="LogiaAd"

Table 279. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99

Loicdos

Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.

The tag is: misp-galaxy:android="Loicdos"

Table 280. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99

Loozfon

Loozfon is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Loozfon"

Table 281. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99

Lotoor

Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.

The tag is: misp-galaxy:android="Lotoor"

Table 282. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99

Lovespy

Lovespy is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Lovespy"

Table 283. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99

Lovetrap

Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Lovetrap"

Table 284. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99

Luckycat

Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="Luckycat"

Table 285. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99

Machinleak

Machinleak is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Machinleak"

Table 286. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99

Maistealer

Maistealer is a Trojan that steals information from Android devices.

The tag is: misp-galaxy:android="Maistealer"

Table 287. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99

Malapp

Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.

The tag is: misp-galaxy:android="Malapp"

Table 288. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99

Malebook

Malebook is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malebook"

Table 289. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99

Malhome

Malhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malhome"

Table 290. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99

Malminer

Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.

The tag is: misp-galaxy:android="Malminer"

Table 291. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99

Mania

Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Mania"

Table 292. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99

Maxit

Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.

The tag is: misp-galaxy:android="Maxit"

Table 293. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99

MdotM

MdotM is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MdotM"

Table 294. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99

Medialets

Medialets is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Medialets"

Table 295. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99

Meshidden

Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Meshidden"

Table 296. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99

Mesploit

Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.

The tag is: misp-galaxy:android="Mesploit"

Table 297. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99

Mesprank

Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Mesprank"

Table 298. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99

Meswatcherbox

Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.

The tag is: misp-galaxy:android="Meswatcherbox"

Table 299. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99

Miji

Miji is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Miji"

Table 300. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99

Milipnot

Milipnot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Milipnot"

Table 301. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99

MillennialMedia

MillennialMedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MillennialMedia"

Table 302. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99

Mitcad

Mitcad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mitcad"

Table 303. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99

MobClix

MobClix is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobClix"

Table 304. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99

MobFox

MobFox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobFox"

Table 305. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99

Mobidisplay

Mobidisplay is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobidisplay"

Table 306. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99

Mobigapp

Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.

The tag is: misp-galaxy:android="Mobigapp"

Table 307. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99

MobileBackup

MobileBackup is a spyware application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="MobileBackup"

Table 308. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99

Mobilespy

Mobilespy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Mobilespy"

Table 309. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99

Mobiletx

Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Mobiletx"

Table 310. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99

Mobinaspy

Mobinaspy is a spyware application for Android devices that can track the device’s location.

The tag is: misp-galaxy:android="Mobinaspy"

Table 311. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99

Mobus

Mobus is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobus"

Table 312. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99

MobWin

MobWin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobWin"

Table 313. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99

Mocore

Mocore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mocore"

Table 314. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99

Moghava

Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.

The tag is: misp-galaxy:android="Moghava"

Table 315. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99

Momark

Momark is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Momark"

Table 316. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99

Monitorello

Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Monitorello"

Table 317. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99

Moolah

Moolah is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Moolah"

Table 318. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99

MoPub

MoPub is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MoPub"

Table 319. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99

Morepaks

Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.

The tag is: misp-galaxy:android="Morepaks"

Table 320. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99

Nandrobox

Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.

The tag is: misp-galaxy:android="Nandrobox"

Table 321. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99

Netisend

Netisend is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Netisend"

Table 322. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99

Nickispy

Nickispy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Nickispy"

Table 323. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99

Notcompatible

Notcompatible is a Trojan horse for Android devices that acts as a proxy.

The tag is: misp-galaxy:android="Notcompatible"

Table 324. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99

Nuhaz

Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.

The tag is: misp-galaxy:android="Nuhaz"

Table 325. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99

Nyearleaker

Nyearleaker is a Trojan horse program for Android devices that steals information.

The tag is: misp-galaxy:android="Nyearleaker"

Table 326. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99

Obad

Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.

The tag is: misp-galaxy:android="Obad"

Table 327. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99

Oneclickfraud

Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.

The tag is: misp-galaxy:android="Oneclickfraud"

Table 328. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99

Opfake

Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.

The tag is: misp-galaxy:android="Opfake"

Table 329. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99

Opfake.B

Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.

The tag is: misp-galaxy:android="Opfake.B"

Table 330. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99

Ozotshielder

Ozotshielder is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Ozotshielder"

Table 331. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99

Pafloat

Pafloat is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pafloat"

Table 332. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99

PandaAds

PandaAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="PandaAds"

Table 333. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99

Pandbot

Pandbot is a Trojan horse for Android devices that may download more files onto the device.

The tag is: misp-galaxy:android="Pandbot"

Table 334. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99

Pdaspy

Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Pdaspy"

Table 335. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99

Penetho

Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.

The tag is: misp-galaxy:android="Penetho"

Table 336. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99

Perkel

Perkel is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Perkel"

Table 337. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99

Phimdropper

Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.

The tag is: misp-galaxy:android="Phimdropper"

Table 338. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99

Phospy

Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.

The tag is: misp-galaxy:android="Phospy"

Table 339. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99

Piddialer

Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.

The tag is: misp-galaxy:android="Piddialer"

Table 340. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99

Pikspam

Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.

The tag is: misp-galaxy:android="Pikspam"

Table 341. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99

Pincer

Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pincer"

Table 342. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99

Pirator

Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Pirator"

Table 343. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99

Pjapps

Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.

The tag is: misp-galaxy:android="Pjapps"

Table 344. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99

Pjapps.B

Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pjapps.B"

Table 345. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99

Pletora

Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.

The tag is: misp-galaxy:android="Pletora"

Table 346. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99

Poisoncake

Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.

The tag is: misp-galaxy:android="Poisoncake"

Table 347. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99

Pontiflex

Pontiflex is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pontiflex"

Table 348. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99

Positmob

Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.

The tag is: misp-galaxy:android="Positmob"

Table 349. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99

Premiumtext

Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.

The tag is: misp-galaxy:android="Premiumtext"

Table 350. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99

Pris

Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.

The tag is: misp-galaxy:android="Pris"

Table 351. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99

Qdplugin

Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Qdplugin"

Table 352. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99

Qicsomos

Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Qicsomos"

Table 353. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99

Qitmo

Qitmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Qitmo"

Table 354. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99

Rabbhome

Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Rabbhome"

Table 355. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99

Repane

Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.

The tag is: misp-galaxy:android="Repane"

Table 356. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99

Reputation.1

Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.1"

Table 357. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99

Reputation.2

Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.2"

Table 358. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99

Reputation.3

Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.3"

Table 359. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99

RevMob

RevMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="RevMob"

Table 360. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99

Roidsec

Roidsec is a Trojan horse for Android devices that steals confidential information.

The tag is: misp-galaxy:android="Roidsec"

Table 361. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99

Rootcager

Rootcager is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Rootcager"

Table 362. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99

Rootnik

Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.

The tag is: misp-galaxy:android="Rootnik"

Rootnik has relationships with:

  • similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"

Table 363. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99

Rufraud

Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Rufraud"

Table 364. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99

Rusms

Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Rusms"

Table 365. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99

Samsapo

Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.

The tag is: misp-galaxy:android="Samsapo"

Table 366. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99

Sandorat

Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.

The tag is: misp-galaxy:android="Sandorat"

Table 367. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99

Sberick

Sberick is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sberick"

Table 368. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99

Scartibro

Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.

The tag is: misp-galaxy:android="Scartibro"

Table 369. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99

Scipiex

Scipiex is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Scipiex"

Table 370. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99

Selfmite

Selfmite is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite"

Table 371. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99

Selfmite.B

Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite.B"

Table 372. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99

SellARing

SellARing is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SellARing"

Table 373. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99

SendDroid

SendDroid is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SendDroid"

Table 374. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99

Simhosy

Simhosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Simhosy"

Table 375. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99

Simplocker

Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker"

Table 376. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99

Simplocker.B

Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker.B"

Table 377. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99

Skullkey

Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.

The tag is: misp-galaxy:android="Skullkey"

Table 378. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99

Smaato

Smaato is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Smaato"

Table 379. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99

Smbcheck

Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.

The tag is: misp-galaxy:android="Smbcheck"

Table 380. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99

Smsblocker

Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.

The tag is: misp-galaxy:android="Smsblocker"

Table 381. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99

Smsbomber

Smsbomber is a program that can be used to send messages to contacts on the device.

The tag is: misp-galaxy:android="Smsbomber"

Table 382. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99

Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.

The tag is: misp-galaxy:android="Smslink"

Table 383. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99

Smspacem

Smspacem is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="Smspacem"

Table 384. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99

SMSReplicator

SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.

The tag is: misp-galaxy:android="SMSReplicator"

Table 385. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99

Smssniffer

Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.

The tag is: misp-galaxy:android="Smssniffer"

Table 386. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99

Smsstealer

Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smsstealer"

Table 387. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99

Smstibook

Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Smstibook"

Table 388. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99

Smszombie

Smszombie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smszombie"

Table 389. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99

Snadapps

Snadapps is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Snadapps"

Table 390. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99

Sockbot

Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.

The tag is: misp-galaxy:android="Sockbot"

Table 391. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99

Sockrat

Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Sockrat"

Sockrat has relationships with:

  • similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 392. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99

Sofacy

Sofacy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sofacy"

Sofacy has relationships with:

  • similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

Table 393. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99

Sosceo

Sosceo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Sosceo"

Table 394. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99

Spitmo

Spitmo is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Spitmo"

Table 395. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99

Spitmo.B

Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spitmo.B"

Table 396. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99

Spyagent

Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Spyagent"

Table 397. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99

Spybubble

Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Spybubble"

Table 398. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99

Spydafon

Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="Spydafon"

Table 399. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99

Spymple

Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Spymple"

Table 400. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99

Spyoo

Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spyoo"

Table 401. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99

Spytekcell

Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytekcell"

Table 402. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99

Spytrack

Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytrack"

Table 403. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99

Spywaller

Spywaller is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spywaller"

Table 404. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99

Stealthgenie

Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Stealthgenie"

Table 405. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99

Steek

Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.

The tag is: misp-galaxy:android="Steek"

Table 406. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99

Stels

Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Stels"

Table 407. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99

Stiniter

Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Stiniter"

Table 408. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99

Sumzand

Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Sumzand"

Table 409. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99

Sysecsms

Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sysecsms"

Table 410. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99

Tanci

Tanci is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tanci"

Table 411. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99

Tapjoy

Tapjoy is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tapjoy"

Table 412. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99

Tapsnake

Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.

The tag is: misp-galaxy:android="Tapsnake"

Table 413. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99

Tascudap

Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

The tag is: misp-galaxy:android="Tascudap"

Table 414. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99

Teelog

Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Teelog"

Table 415. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99

Temai

Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.

The tag is: misp-galaxy:android="Temai"

Table 416. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99

Tetus

Tetus is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Tetus"

Table 417. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99

Tgpush

Tgpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tgpush"

Table 418. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99

Tigerbot

Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Tigerbot"

Table 419. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99

Tonclank

Tonclank is a Trojan horse that steals information and may open a back door on Android devices.

The tag is: misp-galaxy:android="Tonclank"

Table 420. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99

Trogle

Trogle is a worm for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Trogle"

Table 421. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99

Twikabot

Twikabot is a Trojan horse for Android devices that attempts to steal information.

The tag is: misp-galaxy:android="Twikabot"

Table 422. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99

Uapush

Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Uapush"

Table 423. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99

Umeng

Umeng is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Umeng"

Table 424. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99

Updtbot

Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.

The tag is: misp-galaxy:android="Updtbot"

Table 425. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99

Upush

Upush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Upush"

Table 426. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99

Uracto

Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.

The tag is: misp-galaxy:android="Uracto"

Table 427. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99

Uranico

Uranico is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Uranico"

Table 428. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99

Usbcleaver

Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Usbcleaver"

Table 429. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Utchi

Utchi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Utchi"

Table 430. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99

Uten

Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.

The tag is: misp-galaxy:android="Uten"

Table 431. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99

Uupay

Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.

The tag is: misp-galaxy:android="Uupay"

Table 432. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99

Uxipp

Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Uxipp"

Table 433. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99

Vdloader

Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.

The tag is: misp-galaxy:android="Vdloader"

Table 434. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99

VDopia

VDopia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VDopia"

Table 435. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99

Virusshield

Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.

The tag is: misp-galaxy:android="Virusshield"

Table 436. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99

VServ

VServ is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VServ"

Table 437. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99

Walkinwat

Walkinwat is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Walkinwat"

Table 438. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99

Waps

Waps is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waps"

Table 439. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99

Waren

Waren is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waren"

Table 440. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99

Windseeker

Windseeker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Windseeker"

Table 441. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99

Wiyun

Wiyun is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wiyun"

Table 442. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99

Wooboo

Wooboo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wooboo"

Table 443. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99

Wqmobile

Wqmobile is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wqmobile"

Table 444. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99

YahooAds

YahooAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YahooAds"

Table 445. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99

Yatoot

Yatoot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Yatoot"

Table 446. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99

Yinhan

Yinhan is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Yinhan"

Table 447. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99

Youmi

Youmi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Youmi"

Table 448. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99

YuMe

YuMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YuMe"

Table 449. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99

Zeahache

Zeahache is a Trojan horse that elevates privileges on the compromised device.

The tag is: misp-galaxy:android="Zeahache"

Table 450. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99

ZertSecurity

ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.

The tag is: misp-galaxy:android="ZertSecurity"

Table 451. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99

ZestAdz

ZestAdz is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ZestAdz"

Table 452. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99

Zeusmitmo

Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Zeusmitmo"

Table 453. Table References

Links

https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99

SLocker

The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.

The tag is: misp-galaxy:android="SLocker"

SLocker is also known as:

  • SMSLocker

Table 454. Table References

Links

http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/

http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/

Loapi

A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.

The tag is: misp-galaxy:android="Loapi"

Table 455. Table References

Links

https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/

Podec

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

The tag is: misp-galaxy:android="Podec"

Table 456. Table References

Links

https://securelist.com/sms-trojan-bypasses-captcha/69169//

Chamois

Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.

The tag is: misp-galaxy:android="Chamois"

Table 457. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html

IcicleGum

IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.

The tag is: misp-galaxy:android="IcicleGum"

IcicleGum has relationships with:

  • similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"

Table 458. Table References

Links

https://blog.lookout.com/igexin-malicious-sdk

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

BreadSMS

BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.

The tag is: misp-galaxy:android="BreadSMS"

Table 459. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

JamSkunk

JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.

The tag is: misp-galaxy:android="JamSkunk"

Table 460. Table References

Links

https://blog.fosec.vn/malicious-applications-stayed-at-google-appstore-for-months-d8834ff4de59

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Expensive Wall

Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.

The tag is: misp-galaxy:android="Expensive Wall"

Table 461. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

BambaPurple

BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.

The tag is: misp-galaxy:android="BambaPurple"

Table 462. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

KoreFrog

KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.

The tag is: misp-galaxy:android="KoreFrog"

Table 463. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Gaiaphish

Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)

The tag is: misp-galaxy:android="Gaiaphish"

Table 464. Table References

Links

https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

RedDrop

RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.

The tag is: misp-galaxy:android="RedDrop"

Table 465. Table References

Links

https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/

HenBox

HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The tag is: misp-galaxy:android="HenBox"

Table 466. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/

MysteryBot

Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

The tag is: misp-galaxy:android="MysteryBot"

MysteryBot has relationships with:

  • similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"

Table 467. Table References

Links

https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

Skygofree

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.

The tag is: misp-galaxy:android="Skygofree"

Skygofree has relationships with:

  • similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"

Table 468. Table References

Links

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

BusyGasper

A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.

The tag is: misp-galaxy:android="BusyGasper"

Table 469. Table References

Links

https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/

Triout

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

The tag is: misp-galaxy:android="Triout"

Table 470. Table References

Links

https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/

AndroidOS_HidenAd

active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store

The tag is: misp-galaxy:android="AndroidOS_HidenAd"

AndroidOS_HidenAd is also known as:

  • AndroidOS_HiddenAd

Table 471. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/

Razdel

The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.

The tag is: misp-galaxy:android="Razdel"

Table 472. Table References

Links

http://www.virusremovalguidelines.com/tag/what-is-bankbot

https://mobile.twitter.com/pr3wtd/status/1097477833625088000

Vulture

Vulture is an Android banking trojan found in Google Play by ThreatFabric. It uses screen recording and keylogging as main strategy to harvest login credentials.

The tag is: misp-galaxy:android="Vulture"

Table 473. Table References

Links

https://www.threatfabric.com/blogs/vultur-v-for-vnc.html

https://twitter.com/icebre4ker/status/1485651238175846400[https://twitter.com/icebre4ker/status/1485651238175846400]

Anubis

Starting in June 2018, a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t) was discovered. The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. Anubis Masquerades as Google Protect.

The tag is: misp-galaxy:android="Anubis"

Table 474. Table References

Links

https://securityintelligence.com/anubis-strikes-again-mobile-malware-continues-to-plague-users-in-official-app-stores/

GodFather

The Android banking Trojan Godfather is currently being utilized by cybercriminals to attack users of popular financial services across the globe. Godfather is designed to allow threat actors to harvest login credentials for banking applications and other financial services, and drain the accounts. To date, its victims include users of over 400 international targets, including banking applications, cryptocurrency wallets, and crypto exchanges. Few people realize that hiding under Godfather’s hood is an old banking Trojan called Anubis, whose functionality has become outdated due to Android updates and the efforts of malware detection and prevention providers. Group-IB first detected Godfather, a mobile banking Trojan that steals the banking and cryptocurrency exchange credentials of users, in June 2021. Almost a year later, in March 2022, researchers at Threat Fabric were the first to mention the banking Trojan publicly. A few months later, in June, the Trojan stopped being circulated. One of the reasons, Group-IB analysts believe, why Godfather was taken out of use was for developers to update the Trojan further. Sure enough, Godfather reappeared in September 2022, now with slightly modified WebSocket functionality.

The tag is: misp-galaxy:android="GodFather"

GodFather has relationships with:

  • successor-of: misp-galaxy:android="Anubis" with estimative-language:likelihood-probability="likely"

Table 475. Table References

Links

https://blog.group-ib.com/godfather-trojan

Azure Threat Research Matrix

The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse..

Azure Threat Research Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Microsoft - Karl Fosaaen - Nestori Syynimaa - Ryan Cobb - Roberto Rodriguez - Manuel Berrueta - Jonny Johnson - Dor Edry - Ram Pliskin - Nikhil Mittal - MITRE ATT&CK

AZT101 - Port Mapping

It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface’s assigned Network Security Group

The tag is: misp-galaxy:atrm="AZT101 - Port Mapping"

Table 476. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT101/AZT101

AZT102 - IP Discovery

It is possible to view the IP address on a resource by viewing the Virtual Network Interface

The tag is: misp-galaxy:atrm="AZT102 - IP Discovery"

Table 477. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT102/AZT102

AZT103 - Public Accessible Resource

A resource within Azure is accessible from the public internet.

The tag is: misp-galaxy:atrm="AZT103 - Public Accessible Resource"

Table 478. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT103/AZT103

AZT104 - Gather User Information

An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user’s roles and group memberships within AAD.

The tag is: misp-galaxy:atrm="AZT104 - Gather User Information"

Table 479. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT104/AZT104

AZT105 - Gather Application Information

An adversary may obtain information about an application within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT105 - Gather Application Information"

Table 480. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT105/AZT105

AZT106 - Gather Role Information

An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.

The tag is: misp-galaxy:atrm="AZT106 - Gather Role Information"

Table 481. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106

AZT106.1 - Gather AAD Role Information

An adversary may gather role assignments within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT106.1 - Gather AAD Role Information"

Table 482. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-1

AZT106.2 - Gather Application Role Information

An adversary may gather information about an application role & it’s member assignments within Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT106.2 - Gather Application Role Information"

Table 483. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-2

AZT106.3 - Gather Azure Resources Role Assignments

An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.

The tag is: misp-galaxy:atrm="AZT106.3 - Gather Azure Resources Role Assignments"

Table 484. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT106/AZT106-3

AZT107 - Gather Resource Data

An adversary may obtain information and data within a resource.

The tag is: misp-galaxy:atrm="AZT107 - Gather Resource Data"

Table 485. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT107/AZT107

AZT108 - Gather Victim Data

An adversary may access a user’s personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.

The tag is: misp-galaxy:atrm="AZT108 - Gather Victim Data"

Table 486. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Reconnaissance/AZT108/AZT108

AZT201 - Valid Credentials

Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.

The tag is: misp-galaxy:atrm="AZT201 - Valid Credentials"

Table 487. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201

AZT201.1 - User Account

By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.

The tag is: misp-galaxy:atrm="AZT201.1 - User Account"

Table 488. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-1

AZT201.2 - Service Principal

By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.

The tag is: misp-galaxy:atrm="AZT201.2 - Service Principal"

Table 489. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT201/AZT201-2

AZT202 - Password Spraying

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

The tag is: misp-galaxy:atrm="AZT202 - Password Spraying"

Table 490. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT202/AZT202

An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.

The tag is: misp-galaxy:atrm="AZT203 - Malicious Application Consent"

Table 491. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/InitialAccess/AZT203/AZT203

AZT301 - Virtual Machine Scripting

Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.

The tag is: misp-galaxy:atrm="AZT301 - Virtual Machine Scripting"

Table 492. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301

AZT301.1 - RunCommand

By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.

The tag is: misp-galaxy:atrm="AZT301.1 - RunCommand"

Table 493. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-1

AZT301.2 - CustomScriptExtension

By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.2 - CustomScriptExtension"

Table 494. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-2

AZT301.3 - Desired State Configuration

By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.3 - Desired State Configuration"

Table 495. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-3

By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.

The tag is: misp-galaxy:atrm="AZT301.4 - Compute Gallery Application"

Table 496. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-4

AZT301.5 - AKS Command Invoke

By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster’s VM as SYSTEM

The tag is: misp-galaxy:atrm="AZT301.5 - AKS Command Invoke"

Table 497. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-5

AZT301.6 - Vmss Run Command

By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* Windows: PowerShell commands to the VM as SYSTEM.* Linux: Shell commands to the VM as root.

The tag is: misp-galaxy:atrm="AZT301.6 - Vmss Run Command"

Table 498. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-6

AZT301.7 - Serial Console

By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.

The tag is: misp-galaxy:atrm="AZT301.7 - Serial Console"

Table 499. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT301/AZT301-7

AZT302 - Serverless Scripting

Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.

The tag is: misp-galaxy:atrm="AZT302 - Serverless Scripting"

Table 500. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302

AZT302.1 - Automation Account Runbook Hybrid Worker Group

By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.

The tag is: misp-galaxy:atrm="AZT302.1 - Automation Account Runbook Hybrid Worker Group"

Table 501. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-1

AZT302.2 - Automation Account Runbook RunAs Account

By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.

The tag is: misp-galaxy:atrm="AZT302.2 - Automation Account Runbook RunAs Account"

Table 502. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-2

AZT302.3 - Automation Account Runbook Managed Identity

By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.

The tag is: misp-galaxy:atrm="AZT302.3 - Automation Account Runbook Managed Identity"

Table 503. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-3

AZT302.4 - Function Application

By utilizing a Function Application, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT302.4 - Function Application"

Table 504. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT302/AZT302-4

AZT303 - Managed Device Scripting

Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.

The tag is: misp-galaxy:atrm="AZT303 - Managed Device Scripting"

Table 505. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Execution/AZT303/AZT303

AZT401 - Privileged Identity Management Role

An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).

The tag is: misp-galaxy:atrm="AZT401 - Privileged Identity Management Role"

Table 506. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT401/AZT401

AZT402 - Elevated Access Toggle

An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator

The tag is: misp-galaxy:atrm="AZT402 - Elevated Access Toggle"

Table 507. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT402/AZT402

AZT403 - Local Resource Hijack

By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.

The tag is: misp-galaxy:atrm="AZT403 - Local Resource Hijack"

Table 508. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT403/AZT403-1

AZT404 - Principal Impersonation

Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.

The tag is: misp-galaxy:atrm="AZT404 - Principal Impersonation"

Table 509. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404

AZT404.1 - Function Application

By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.1 - Function Application"

Table 510. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-1

AZT404.2 - Logic Application

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.2 - Logic Application"

Table 511. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-2

AZT404.3 - Automation Account

By utilizing a Automation Account configured with a managed identity or RunAs account, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.3 - Automation Account"

Table 512. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-3

AZT404.4 - App Service

By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

The tag is: misp-galaxy:atrm="AZT404.4 - App Service"

Table 513. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT404/AZT404-4

AZT405 - Azure AD Application

Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.

The tag is: misp-galaxy:atrm="AZT405 - Azure AD Application"

Table 514. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405

AZT405.1 - Application API Permissions

By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.

The tag is: misp-galaxy:atrm="AZT405.1 - Application API Permissions"

Table 515. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-1

AZT405.2 - Application Role

By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.

The tag is: misp-galaxy:atrm="AZT405.2 - Application Role"

Table 516. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-2

AZT405.3 - Application Registration Owner

By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.

The tag is: misp-galaxy:atrm="AZT405.3 - Application Registration Owner"

Table 517. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/PrivilegeEscalation/AZT405/AZT405-3

AZT501 - Account Manipulation

An adverary may manipulate an account to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501 - Account Manipulation"

Table 518. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501

AZT501.1 - User Account Manipulation

An adverary may manipulate a user account to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501.1 - User Account Manipulation"

Table 519. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-1

AZT501.2 - Service Principal Manipulation

An adverary may manipulate a service principal to maintain access in an Azure tenant

The tag is: misp-galaxy:atrm="AZT501.2 - Service Principal Manipulation"

Table 520. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-2

AZT501.3 - Azure VM Local Administrator Manipulation

An adverary may manipulate the local admin account on an Azure VM

The tag is: misp-galaxy:atrm="AZT501.3 - Azure VM Local Administrator Manipulation"

Table 521. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT501/AZT501-3

AZT502 - Account Creation

An adversary may create an account in Azure Active Directory.

The tag is: misp-galaxy:atrm="AZT502 - Account Creation"

Table 522. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502

AZT502.1 - User Account Creation

An adversary may create an application & service principal in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.1 - User Account Creation"

Table 523. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-1

AZT502.2 - Service Principal Creation

An adversary may create an application & service principal in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.2 - Service Principal Creation"

Table 524. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-2

AZT502.3 - Guest Account Creation

An adversary may create a guest account in Azure Active Directory

The tag is: misp-galaxy:atrm="AZT502.3 - Guest Account Creation"

Table 525. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT502/AZT502-3

AZT503 - HTTP Trigger

Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.

The tag is: misp-galaxy:atrm="AZT503 - HTTP Trigger"

Table 526. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503

AZT503.1 - Logic Application HTTP Trigger

Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

The tag is: misp-galaxy:atrm="AZT503.1 - Logic Application HTTP Trigger"

Table 527. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-1

AZT503.2 - Function App HTTP Trigger

Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.

The tag is: misp-galaxy:atrm="AZT503.2 - Function App HTTP Trigger"

Table 528. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-2

AZT503.3 - Runbook Webhook

Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.

The tag is: misp-galaxy:atrm="AZT503.3 - Runbook Webhook"

Table 529. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-3

AZT503.4 - WebJob

Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule

The tag is: misp-galaxy:atrm="AZT503.4 - WebJob"

Table 530. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT503/AZT503-4

AZT504 - Watcher Tasks

By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.

The tag is: misp-galaxy:atrm="AZT504 - Watcher Tasks"

Table 531. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT504/AZT504

AZT505 - Scheduled Jobs

Adversaries may create a schedule for a Runbook to run at a defined interval.

The tag is: misp-galaxy:atrm="AZT505 - Scheduled Jobs"

Table 532. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT505/AZT505-1

AZT506 - Network Security Group Modification

Adversaries can modify the rules in a Network Security Group to establish access over additional ports.

The tag is: misp-galaxy:atrm="AZT506 - Network Security Group Modification"

Table 533. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT506/AZT506

AZT507 - External Entity Access

Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.

The tag is: misp-galaxy:atrm="AZT507 - External Entity Access"

Table 534. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507

AZT507.1 - Azure Lighthouse

Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant

The tag is: misp-galaxy:atrm="AZT507.1 - Azure Lighthouse"

Table 535. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-1

AZT507.2 - Microsoft Partners

Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.

The tag is: misp-galaxy:atrm="AZT507.2 - Microsoft Partners"

Table 536. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-2

AZT507.3 - Subscription Hijack

An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.

The tag is: misp-galaxy:atrm="AZT507.3 - Subscription Hijack"

Table 537. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-3

AZT507.4 - Domain Trust Modification

An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.

The tag is: misp-galaxy:atrm="AZT507.4 - Domain Trust Modification"

Table 538. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT507/AZT507-4

AZT508 - Azure Policy

By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.

The tag is: misp-galaxy:atrm="AZT508 - Azure Policy"

Table 539. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT508/AZT508

AZT601 - Steal Managed Identity JsonWebToken

An adverary may utilize the resource’s functionality to obtain a JWT for the applied Managed Identity Service Principal account.

The tag is: misp-galaxy:atrm="AZT601 - Steal Managed Identity JsonWebToken"

Table 540. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601

AZT601.1 - Virtual Machine IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.

The tag is: misp-galaxy:atrm="AZT601.1 - Virtual Machine IMDS Request"

Table 541. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-1

AZT601.2 - Azure Kubernetes Service IMDS Request

By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.

The tag is: misp-galaxy:atrm="AZT601.2 - Azure Kubernetes Service IMDS Request"

Table 542. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-2

AZT601.3 - Logic Application JWT PUT Request

If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.3 - Logic Application JWT PUT Request"

Table 543. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-3

AZT601.4 - Function Application JWT GET Request

If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.4 - Function Application JWT GET Request"

Table 544. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-4

AZT601.5 - Automation Account Runbook

If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity’s JWT.

The tag is: misp-galaxy:atrm="AZT601.5 - Automation Account Runbook"

Table 545. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT601/AZT601-5

AZT602 - Steal Service Principal Certificate

If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.

The tag is: misp-galaxy:atrm="AZT602 - Steal Service Principal Certificate"

Table 546. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT602/AZT602-1

AZT603 - Service Principal Secret Reveal

If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal’s secret in plain text.

The tag is: misp-galaxy:atrm="AZT603 - Service Principal Secret Reveal"

Table 547. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT603/AZT603-1

AZT604 - Azure KeyVault Dumping

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

The tag is: misp-galaxy:atrm="AZT604 - Azure KeyVault Dumping"

Table 548. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604

AZT604.1 - Azure KeyVault Secret Dump

By accessing an Azure Key Vault, an adversary may dump any or all secrets.

The tag is: misp-galaxy:atrm="AZT604.1 - Azure KeyVault Secret Dump"

Table 549. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-1

AZT604.2 - Azure KeyVault Certificate Dump

By accessing an Azure Key Vault, an adversary may dump any or all certificates.

The tag is: misp-galaxy:atrm="AZT604.2 - Azure KeyVault Certificate Dump"

Table 550. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-2

AZT604.3 - Azure KeyVault Key Dump

By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.

The tag is: misp-galaxy:atrm="AZT604.3 - Azure KeyVault Key Dump"

Table 551. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT604/AZT604-3

AZT605 - Resource Secret Reveal

An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.

The tag is: misp-galaxy:atrm="AZT605 - Resource Secret Reveal"

Table 552. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605

AZT605.1 - Storage Account Access Key Dumping

By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.

The tag is: misp-galaxy:atrm="AZT605.1 - Storage Account Access Key Dumping"

Table 553. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-1

AZT605.2 - Automation Account Credential Secret Dump

By editing a Runbook, a credential configured in an Automation Account may be revealed

The tag is: misp-galaxy:atrm="AZT605.2 - Automation Account Credential Secret Dump"

Table 554. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-2

AZT605.3 - Resource Group Deployment History Secret Dump

By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.

The tag is: misp-galaxy:atrm="AZT605.3 - Resource Group Deployment History Secret Dump"

Table 555. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/CredentialAccess/AZT605/AZT605-3

AZT701 - SAS URI Generation

By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.

The tag is: misp-galaxy:atrm="AZT701 - SAS URI Generation"

Table 556. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701

AZT701.1 - VM Disk SAS URI

An adversary may create an SAS URI to download the disk attached to a virtual machine.

The tag is: misp-galaxy:atrm="AZT701.1 - VM Disk SAS URI"

Table 557. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-1

AZT701.2 - Storage Account File Share SAS

By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.

The tag is: misp-galaxy:atrm="AZT701.2 - Storage Account File Share SAS"

Table 558. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT701/AZT701-2

AZT702 - File Share Mounting

An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.

The tag is: misp-galaxy:atrm="AZT702 - File Share Mounting"

Table 559. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT702/AZT702-1

AZT703 - Replication

By setting up cross-tenant replication, an adversary may set up replication from one tenant’s storage account to an extrenal tenant’s storage account.

The tag is: misp-galaxy:atrm="AZT703 - Replication"

Table 560. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT703/AZT703-1

AZT704 - Soft-Delete Recovery

An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted

The tag is: misp-galaxy:atrm="AZT704 - Soft-Delete Recovery"

Table 561. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704

AZT704.1 - Key Vault

An adversary may recover a key vault object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.1 - Key Vault"

Table 562. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-1

AZT704.2 - Storage Account Object

An adversary may recover a storage account object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.2 - Storage Account Object"

Table 563. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-2

AZT704.3 - Recovery Services Vault

An adversary may recover a virtual machine object found in a 'soft deletion' state.

The tag is: misp-galaxy:atrm="AZT704.3 - Recovery Services Vault"

Table 564. Table References

Links

https://microsoft.github.io/Azure-Threat-Research-Matrix/Exfiltration/AZT704/AZT704-3

attck4fraud

attck4fraud - Principles of MITRE ATT&CK in the fraud domain.

attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Francesco Bigarella

Phishing

In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.

The tag is: misp-galaxy:financial-fraud="Phishing"

Table 565. Table References

Links

https://blog.malwarebytes.com/cybercrime/2015/02/amazon-notice-ticket-number-phish-seeks-card-details/

https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/

Spear phishing

Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.

The tag is: misp-galaxy:financial-fraud="Spear phishing"

Table 566. Table References

Links

http://fortune.com/2017/04/27/facebook-google-rimasauskas/

https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508

ATM skimming

ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.

The tag is: misp-galaxy:financial-fraud="ATM skimming"

Table 567. Table References

Links

https://krebsonsecurity.com/2015/07/spike-in-atm-skimming-in-mexico/

https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-skimmer/

https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/

https://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/

https://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/

https://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/

https://krebsonsecurity.com/2011/03/green-skimmers-skimming-green

https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/

ATM Shimming

ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.

The tag is: misp-galaxy:financial-fraud="ATM Shimming"

Table 568. Table References

Links

https://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/

https://www.cbc.ca/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438

https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/

https://blog.dieboldnixdorf.com/atm-security-skimming-vs-shimming/

Vishing

Vishing

The tag is: misp-galaxy:financial-fraud="Vishing"

POS Skimming

POS Skimming

The tag is: misp-galaxy:financial-fraud="POS Skimming"

Social Media Scams

Social Media Scams

The tag is: misp-galaxy:financial-fraud="Social Media Scams"

Malware

Malware

The tag is: misp-galaxy:financial-fraud="Malware"

Account-Checking Services

Account-Checking Services

The tag is: misp-galaxy:financial-fraud="Account-Checking Services"

ATM Black Box Attack

ATM Black Box Attack

The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"

Insider Trading

Insider Trading

The tag is: misp-galaxy:financial-fraud="Insider Trading"

Investment Fraud

Investment Fraud

The tag is: misp-galaxy:financial-fraud="Investment Fraud"

Romance Scam

Romance Scam

The tag is: misp-galaxy:financial-fraud="Romance Scam"

Buying/Renting Fraud

Buying/Renting Fraud

The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"

Cash Recovery Scam

Cash Recovery Scam

The tag is: misp-galaxy:financial-fraud="Cash Recovery Scam"

Fake Invoice Fraud

Fake Invoice Fraud

The tag is: misp-galaxy:financial-fraud="Fake Invoice Fraud"

Business Email Compromise

Business Email Compromise

The tag is: misp-galaxy:financial-fraud="Business Email Compromise"

Scam

Scam

The tag is: misp-galaxy:financial-fraud="Scam"

CxO Fraud

CxO Fraud

The tag is: misp-galaxy:financial-fraud="CxO Fraud"

Compromised Payment Cards

Compromised Payment Cards

The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"

Compromised Account Credentials

Compromised Account Credentials

The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"

Compromised Personally Identifiable Information (PII)

Compromised Personally Identifiable Information (PII)

The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"

Compromised Intellectual Property (IP)

Compromised Intellectual Property (IP)

The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"

SWIFT Transaction

SWIFT Transaction

The tag is: misp-galaxy:financial-fraud="SWIFT Transaction"

Fund Transfer

Fund Transfer

The tag is: misp-galaxy:financial-fraud="Fund Transfer"

Cryptocurrency Exchange

Cryptocurrency Exchange

The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"

ATM Jackpotting

ATM Jackpotting

The tag is: misp-galaxy:financial-fraud="ATM Jackpotting"

Money Mules

Money Mules

The tag is: misp-galaxy:financial-fraud="Money Mules"

Prepaid Cards

Prepaid Cards

The tag is: misp-galaxy:financial-fraud="Prepaid Cards"

Resell Stolen Data

Resell Stolen Data

The tag is: misp-galaxy:financial-fraud="Resell Stolen Data"

ATM Explosive Attack

ATM Explosive Attack

The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"

Backdoor

A list of backdoor malware..

Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

raw-data

WellMess

Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.

The tag is: misp-galaxy:backdoor="WellMess"

WellMess has relationships with:

  • similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"

Table 569. Table References

Links

https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html

Rosenbridge

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.

The tag is: misp-galaxy:backdoor="Rosenbridge"

Table 570. Table References

Links

https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/

https://github.com/xoreaxeaxeax/rosenbridge

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf

ServHelper

The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.

"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.

The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.

The tag is: misp-galaxy:backdoor="ServHelper"

Table 571. Table References

Links

https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/

Rising Sun

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

The tag is: misp-galaxy:backdoor="Rising Sun"

Table 572. Table References

Links

https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/

SLUB

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

The tag is: misp-galaxy:backdoor="SLUB"

SLUB has relationships with:

  • similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"

Table 573. Table References

Links

https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/

Asruex

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.

The tag is: misp-galaxy:backdoor="Asruex"

Table 574. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/

FlowerPippi

The tag is: misp-galaxy:backdoor="FlowerPippi"

Table 575. Table References

Links

https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/

Speculoos

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

The tag is: misp-galaxy:backdoor="Speculoos"

Speculoos has relationships with:

  • used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"

Table 576. Table References

Links

https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

Mori Backdoor

Mori Backdoor has been used by Seedworm.

The tag is: misp-galaxy:backdoor="Mori Backdoor"

Table 577. Table References

Links

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

BazarBackdoor

Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.

The tag is: misp-galaxy:backdoor="BazarBackdoor"

BazarBackdoor is also known as:

  • BEERBOT

  • KEGTAP

  • Team9Backdoor

  • bazaloader

  • bazarloader

  • bazaarloader

Table 578. Table References

Links

https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike

https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/

SUNBURST

Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.

The tag is: misp-galaxy:backdoor="SUNBURST"

SUNBURST is also known as:

  • Solarigate

SUNBURST has relationships with:

  • dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

Table 579. Table References

Links

https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/

https://blog.malwarebytes.com/detections/backdoor-sunburst/

https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

BPFDoor

BPFDoor is a passive backdoor used by a China-based threat actor. This backdoor supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP allowing the threat actor a variety of mechanisms to interact with the implant

The tag is: misp-galaxy:backdoor="BPFDoor"

Table 580. Table References

Links

https://troopers.de/troopers22/talks/7cv8pz/

https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896?gi=1effe9eb6507

https://twitter.com/cyb3rops/status/1523227511551033349

https://twitter.com/CraigHRowland/status/1523266585133457408

BOLDMOVE

According to Mandiant, this malware family is attributed to potential chinese background and its Linux variant is related to exploitation of Fortinet’s SSL-VPN (CVE-2022-42475).

The tag is: misp-galaxy:backdoor="BOLDMOVE"

Table 581. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.boldmove

https://malpedia.caad.fkie.fraunhofer.de/details/elf.boldmove

https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

Banker

A list of banker malware..

Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown - raw-data

Zeus

Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.

The tag is: misp-galaxy:banker="Zeus"

Zeus is also known as:

  • Zbot

Zeus has relationships with:

  • similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 582. Table References

Links

https://usa.kaspersky.com/resource-center/threats/zeus-virus

Vawtrak

Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.

The tag is: misp-galaxy:banker="Vawtrak"

Vawtrak is also known as:

  • Neverquest

Vawtrak has relationships with:

  • similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"

Table 583. Table References

Links

https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/

https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving

https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows

https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf

Dridex

Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

The tag is: misp-galaxy:banker="Dridex"

Dridex is also known as:

  • Feodo Version D

  • Cridex

Dridex has relationships with:

  • similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"

Table 584. Table References

Links

https://blog.malwarebytes.com/detections/trojan-dridex/

https://feodotracker.abuse.ch/

Gozi

Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010

The tag is: misp-galaxy:banker="Gozi"

Gozi is also known as:

  • Ursnif

  • CRM

  • Snifula

  • Papras

Gozi has relationships with:

  • similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

Table 585. Table References

Links

https://www.secureworks.com/research/gozi

https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007

https://lokalhost.pl/gozi_tree.txt

Goziv2

Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.

The tag is: misp-galaxy:banker="Goziv2"

Goziv2 is also known as:

  • Prinimalka

Table 586. Table References

Links

https://krebsonsecurity.com/tag/gozi-prinimalka/

https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/

https://lokalhost.pl/gozi_tree.txt

Gozi ISFB

Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.

The tag is: misp-galaxy:banker="Gozi ISFB"

Gozi ISFB has relationships with:

  • similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 587. Table References

Links

https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak

https://lokalhost.pl/gozi_tree.txt

Dreambot

Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.

The tag is: misp-galaxy:banker="Dreambot"

Table 588. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/

https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

https://lokalhost.pl/gozi_tree.txt

IAP

Gozi ISFB variant

The tag is: misp-galaxy:banker="IAP"

IAP has relationships with:

  • similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 589. Table References

Links

https://lokalhost.pl/gozi_tree.txt

http://archive.is/I7hi8#selection-217.0-217.6

GozNym

GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

The tag is: misp-galaxy:banker="GozNym"

Table 590. Table References

Links

https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

https://lokalhost.pl/gozi_tree.txt

Zloader Zeus

Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Zloader Zeus"

Zloader Zeus is also known as:

  • Zeus Terdot

Zloader Zeus has relationships with:

  • similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"

Table 591. Table References

Links

https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle

https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/

Zeus VM

Zeus variant that utilizes steganography in image files to retrieve configuration file.

The tag is: misp-galaxy:banker="Zeus VM"

Zeus VM is also known as:

  • VM Zeus

Zeus VM has relationships with:

  • similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"

Table 592. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/

https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/

Zeus Sphinx

Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.

The tag is: misp-galaxy:banker="Zeus Sphinx"

Zeus Sphinx has relationships with:

  • similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"

Table 593. Table References

Links

https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Panda Banker

Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Panda Banker"

Panda Banker is also known as:

  • Zeus Panda

Table 594. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

Zeus KINS

Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.

The tag is: misp-galaxy:banker="Zeus KINS"

Zeus KINS is also known as:

  • Kasper Internet Non-Security

  • Maple

Zeus KINS has relationships with:

  • similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"

Table 595. Table References

Links

https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/

https://github.com/nyx0/KINS

Chthonic

Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

The tag is: misp-galaxy:banker="Chthonic"

Chthonic is also known as:

  • Chtonic

Chthonic has relationships with:

  • similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"

Table 596. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan

https://securelist.com/chthonic-a-new-modification-of-zeus/68176/

Trickbot

Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan

The tag is: misp-galaxy:banker="Trickbot"

Trickbot is also known as:

  • Trickster

  • Trickloader

Trickbot has relationships with:

  • similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"

Table 597. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/

https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/

http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html

https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/

Dyre

Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.

The tag is: misp-galaxy:banker="Dyre"

Dyre is also known as:

  • Dyreza

Dyre has relationships with:

  • similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"

Table 598. Table References

Links

https://www.secureworks.com/research/dyre-banking-trojan

https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

Tinba

Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.

The tag is: misp-galaxy:banker="Tinba"

Tinba is also known as:

  • Zusy

  • TinyBanker

  • illi

Tinba has relationships with:

  • similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"

Table 599. Table References

Links

https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/

http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/

https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/

http://my.infotex.com/tiny-banker-trojan/

Geodo

Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.

The tag is: misp-galaxy:banker="Geodo"

Geodo is also known as:

  • Feodo Version C

  • Emotet

Geodo has relationships with:

  • similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"

Table 600. Table References

Links

https://feodotracker.abuse.ch/

http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/

https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/

https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/

https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet

https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/

Feodo

Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Feodo"

Feodo is also known as:

  • Bugat

  • Cridex

Feodo has relationships with:

  • similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"

Table 601. Table References

Links

https://securelist.com/dridex-a-history-of-evolution/78531/

https://feodotracker.abuse.ch/

http://stopmalvertising.com/rootkits/analysis-of-cridex.html

Ramnit

Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.

The tag is: misp-galaxy:banker="Ramnit"

Ramnit is also known as:

  • Nimnul

Ramnit has relationships with:

  • similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 602. Table References

Links

https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

Qakbot

Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.

The tag is: misp-galaxy:banker="Qakbot"

Qakbot is also known as:

  • Qbot

  • Pinkslipbot

  • Akbot

Qakbot has relationships with:

  • similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

Table 603. Table References

Links

https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/

https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/

https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf

Corebot

Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Corebot"

Corebot has relationships with:

  • similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"

Table 604. Table References

Links

https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/

https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf

https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/

TinyNuke

TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="TinyNuke"

TinyNuke is also known as:

  • NukeBot

  • Nuclear Bot

  • MicroBankingTrojan

  • Xbot

TinyNuke has relationships with:

  • similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"

Table 605. Table References

Links

https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/

https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/

https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596

https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html

Retefe

Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.

The tag is: misp-galaxy:banker="Retefe"

Retefe is also known as:

  • Tsukuba

  • Werdlod

Retefe has relationships with:

  • similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 606. Table References

Links

https://www.govcert.admin.ch/blog/33/the-retefe-saga

https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/

https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/

https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/

http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/

ReactorBot

ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="ReactorBot"

ReactorBot has relationships with:

  • similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"

Table 607. Table References

Links

http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html

https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under

http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html

http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Matrix Banker

Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="Matrix Banker"

Matrix Banker has relationships with:

  • similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"

Table 608. Table References

Links

https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Zeus Gameover

Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Zeus Gameover"

Table 609. Table References

Links

https://heimdalsecurity.com/blog/zeus-gameover/

https://www.us-cert.gov/ncas/alerts/TA14-150A

SpyEye

SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="SpyEye"

Table 610. Table References

Links

https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf

https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html

https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

Citadel

Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.

The tag is: misp-galaxy:banker="Citadel"

Citadel has relationships with:

  • similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"

Table 611. Table References

Links

https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/

https://krebsonsecurity.com/tag/citadel-trojan/

https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/

Atmos

Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Atmos"

Table 612. Table References

Links

https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/

http://www.xylibox.com/2016/02/citadel-0011-atmos.html

Ice IX

Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.

The tag is: misp-galaxy:banker="Ice IX"

Ice IX has relationships with:

  • similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"

Table 613. Table References

Links

https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ]

Zitmo

Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.

The tag is: misp-galaxy:banker="Zitmo"

Table 614. Table References

Links

https://securelist.com/zeus-in-the-mobile-for-android-10/29258/

Licat

Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011

The tag is: misp-galaxy:banker="Licat"

Licat is also known as:

  • Murofet

Licat has relationships with:

  • similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"

Table 615. Table References

Links

https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A

Skynet

Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.

The tag is: misp-galaxy:banker="Skynet"

Table 616. Table References

Links

https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/

IcedID

According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.

The tag is: misp-galaxy:banker="IcedID"

IcedID is also known as:

  • BokBot

IcedID has relationships with:

  • similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"

Table 617. Table References

Links

https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/

https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

The tag is: misp-galaxy:banker="GratefulPOS"

GratefulPOS has relationships with:

  • similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"

Table 618. Table References

Links

https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

Dok

A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.

The tag is: misp-galaxy:banker="Dok"

Dok has relationships with:

  • similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 619. Table References

Links

https://objective-see.com/blog/blog_0x25.html#Dok

downAndExec

Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.

The tag is: misp-galaxy:banker="downAndExec"

Table 620. Table References

Links

https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/

Smominru

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.

The tag is: misp-galaxy:banker="Smominru"

Smominru is also known as:

  • Ismo

  • lsmo

Smominru has relationships with:

  • similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"

Table 621. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

DanaBot

It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)

The tag is: misp-galaxy:banker="DanaBot"

DanaBot has relationships with:

  • similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"

Table 622. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0

https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/

Backswap

The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload

The tag is: misp-galaxy:banker="Backswap"

Table 623. Table References

Links

https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

Bebloh

The tag is: misp-galaxy:banker="Bebloh"

Bebloh is also known as:

  • URLZone

  • Shiotob

Bebloh has relationships with:

  • similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"

Table 624. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A

https://www.symantec.com/security-center/writeup/2011-041411-0912-99

Banjori

The tag is: misp-galaxy:banker="Banjori"

Banjori is also known as:

  • MultiBanker 2

  • BankPatch

  • BackPatcher

Banjori has relationships with:

  • similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"

Table 625. Table References

Links

https://www.johannesbader.ch/2015/02/the-dga-of-banjori/

Qadars

The tag is: misp-galaxy:banker="Qadars"

Qadars has relationships with:

  • similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"

Table 626. Table References

Links

https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/

Sisron

The tag is: misp-galaxy:banker="Sisron"

Table 627. Table References

Links

https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Ranbyus

The tag is: misp-galaxy:banker="Ranbyus"

Ranbyus has relationships with:

  • similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"

Table 628. Table References

Links

https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Fobber

The tag is: misp-galaxy:banker="Fobber"

Fobber has relationships with:

  • similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"

Table 629. Table References

Links

https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks

Karius

Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.

The tag is: misp-galaxy:banker="Karius"

Karius has relationships with:

  • similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"

Table 630. Table References

Links

https://research.checkpoint.com/banking-trojans-development/

Kronos

Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.

The tag is: misp-galaxy:banker="Kronos"

Kronos has relationships with:

  • similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"

Table 631. Table References

Links

https://en.wikipedia.org/wiki/Kronos_(malware)

https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware

https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/

CamuBot

A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.

The tag is: misp-galaxy:banker="CamuBot"

CamuBot has relationships with:

  • similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"

Table 632. Table References

Links

https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ [https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ ]

Dark Tequila

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

The tag is: misp-galaxy:banker="Dark Tequila"

Table 633. Table References

Links

https://thehackernews.com/2018/08/mexico-banking-malware.html

Malteiro

Distributed by Malteiro

The tag is: misp-galaxy:banker="Malteiro"

Malteiro is also known as:

  • URSA

Malteiro has relationships with:

  • delivered-by: misp-galaxy:threat-actor="Malteiro" with estimative-language:likelihood-probability="likely"

Table 634. Table References

Links

https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/

Bhadra Framework

Bhadra Threat Modeling Framework.

Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura

Attacks from UE

"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.

The tag is: misp-galaxy:bhadra-framework="Attacks from UE"

SIM-based attacks

The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.

The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"

Attacks from radio access network

The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.

The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"

Attacks from other mobile network

The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes

The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"

Attacks with access to transport network

The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes

The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"

Attacks from IP-based network

The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.

The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"

Insider attacks and human errors

The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.

The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"

Infecting UE hardware or software

Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.

The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"

Infecting SIM cards

Retaining the foothold gained on the target system through the initial access by infecting SIM cards.

The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"

Spoofed radio network

Retaining the foothold gained on the target system through the initial access by radio network spoofing.

The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"

Infecting network nodes

Retaining the foothold gained on the target system through the initial access by infecting network nodes.

The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"

Covert channels

Retaining the foothold gained on the target system through the initial access via covert channels.

The tag is: misp-galaxy:bhadra-framework="Covert channels"

Port scanning or sweeping

"Port scanning or sweeping" techniques to probe servers or hosts with open ports.

The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"

Perimeter mapping

"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.

The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"

Threat intelligence gathering

"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.

The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"

CN-specific scanning

"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).

The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"

"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.

The tag is: misp-galaxy:bhadra-framework="Internal resource search"

UE knocking

"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.

The tag is: misp-galaxy:bhadra-framework="UE knocking"

Exploit roaming agreements

"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.

The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"

Abusing interworking functionalities

"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally

The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"

Exploit platform & service-specific vulnerabilities

Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.

The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"

SS7-based-attacks

Attacks abusing the SS7 protocol.

The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"

Diameter-based attacks

Attacks abusing the Diameter protocol.

The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"

GTP-based attacks

Attacks abusing the GTP protocol.

The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"

DNS-based attacks

DNS based attacks.

The tag is: misp-galaxy:bhadra-framework="DNS-based attacks"

Pre-AKA attacks

Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.

The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"

Security audit camouflage

The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.

The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"

Blacklist evasion

Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aŠacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.

The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"

Middlebox misconfiguration exploits

NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.

The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"

Bypass Firewall

Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.

The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"

Bypass homerouting

SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.

The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"

Downgrading

Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.

The tag is: misp-galaxy:bhadra-framework="Downgrading"

Redirection

Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.

The tag is: misp-galaxy:bhadra-framework="Redirection"

UE Protection evasion

Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.

The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"

Admin credentials

Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.

The tag is: misp-galaxy:bhadra-framework="Admin credentials"

User-specific identifiers

User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case

The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"

User-specific data

Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).

The tag is: misp-galaxy:bhadra-framework="User-specific data"

Network-specific identifiers

Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks

The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"

Network-specific data

Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents

The tag is: misp-galaxy:bhadra-framework="Network-specific data"

Location tracking

Attacker is able to track the location of the target end-user.

The tag is: misp-galaxy:bhadra-framework="Location tracking"

Calls eavesdropping

Attacker is able to eavesdrop on calls.

The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"

SMS interception

Attacker is able to intercept SMS messages.

The tag is: misp-galaxy:bhadra-framework="SMS interception"

Data interception

Attacker is able to intercept or modify internet traffic.

The tag is: misp-galaxy:bhadra-framework="Data interception"

Billing frauds

Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.

The tag is: misp-galaxy:bhadra-framework="Billing frauds"

DoS - network

The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.

The tag is: misp-galaxy:bhadra-framework="DoS - network"

DoS - user

The attacker can cause denial of service to mobile users.

The tag is: misp-galaxy:bhadra-framework="DoS - user"

Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.

The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"

Botnet

botnet galaxy.

Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

ADB.miner

A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.

The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.

Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.

The tag is: misp-galaxy:botnet="ADB.miner"

Table 635. Table References

Links

https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/

Bagle

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

The tag is: misp-galaxy:botnet="Bagle"

Bagle is also known as:

  • Beagle

  • Mitglieder

  • Lodeight

Bagle has relationships with:

  • similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"

Table 636. Table References

Links

https://en.wikipedia.org/wiki/Bagle_(computer_worm)

Marina Botnet

Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.

The tag is: misp-galaxy:botnet="Marina Botnet"

Marina Botnet is also known as:

  • Damon Briant

  • BOB.dc

  • Cotmonger

  • Hacktool.Spammer

  • Kraken

Marina Botnet has relationships with:

  • similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"

Table 637. Table References

Links

https://en.wikipedia.org/wiki/Botnet

Torpig

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.

The tag is: misp-galaxy:botnet="Torpig"

Torpig is also known as:

  • Sinowal

  • Anserin

Torpig has relationships with:

  • similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"

Table 638. Table References

Links

https://en.wikipedia.org/wiki/Torpig

Storm

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The tag is: misp-galaxy:botnet="Storm"

Storm is also known as:

  • Nuwar

  • Peacomm

  • Zhelatin

  • Dorf

  • Ecard

Table 639. Table References

Links

https://en.wikipedia.org/wiki/Storm_botnet

Rustock

The tag is: misp-galaxy:botnet="Rustock"

Rustock is also known as:

  • RKRustok

  • Costrat

Rustock has relationships with:

  • similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"

Table 640. Table References

Links

https://en.wikipedia.org/wiki/Rustock_botnet

Donbot

The tag is: misp-galaxy:botnet="Donbot"

Donbot is also known as:

  • Buzus

  • Bachsoy

Donbot has relationships with:

  • similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"

Table 641. Table References

Links

https://en.wikipedia.org/wiki/Donbot_botnet

Cutwail

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo

The tag is: misp-galaxy:botnet="Cutwail"

Cutwail is also known as:

  • Pandex

  • Mutant

Cutwail has relationships with:

  • similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"

Table 642. Table References

Links

https://en.wikipedia.org/wiki/Cutwail_botnet

Akbot

Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.

The tag is: misp-galaxy:botnet="Akbot"

Akbot has relationships with:

  • similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

Table 643. Table References

Links

https://en.wikipedia.org/wiki/Akbot

Srizbi

Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The tag is: misp-galaxy:botnet="Srizbi"

Srizbi is also known as:

  • Cbeplay

  • Exchanger

Table 644. Table References

Links

https://en.wikipedia.org/wiki/Srizbi_botnet

Lethic

The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.

The tag is: misp-galaxy:botnet="Lethic"

Lethic has relationships with:

  • similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"

Table 645. Table References

Links

https://en.wikipedia.org/wiki/Lethic_botnet

Xarvester

The tag is: misp-galaxy:botnet="Xarvester"

Xarvester is also known as:

  • Rlsloup

  • Pixoliz

Table 646. Table References

Links

https://krebsonsecurity.com/tag/xarvester/

Sality

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

The tag is: misp-galaxy:botnet="Sality"

Sality is also known as:

  • Sector

  • Kuku

  • Sality

  • SalLoad

  • Kookoo

  • SaliCode

  • Kukacka

Sality has relationships with:

  • similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"

Table 647. Table References

Links

https://en.wikipedia.org/wiki/Sality

Mariposa

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.

The tag is: misp-galaxy:botnet="Mariposa"

Table 648. Table References

Links

https://en.wikipedia.org/wiki/Mariposa_botnet

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

The tag is: misp-galaxy:botnet="Conficker"

Conficker is also known as:

  • DownUp

  • DownAndUp

  • DownAdUp

  • Kido

Conficker has relationships with:

  • similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"

Table 649. Table References

Links

https://en.wikipedia.org/wiki/Conficker

Waledac

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The tag is: misp-galaxy:botnet="Waledac"

Waledac is also known as:

  • Waled

  • Waledpak

Table 650. Table References

Links

https://en.wikipedia.org/wiki/Waledac_botnet

Maazben

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

The tag is: misp-galaxy:botnet="Maazben"

Table 651. Table References

Links

https://www.symantec.com/connect/blogs/evaluating-botnet-capacity

Onewordsub

The tag is: misp-galaxy:botnet="Onewordsub"

Table 652. Table References

Links

https://www.botnets.fr/wiki/OneWordSub

Gheg

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).

The tag is: misp-galaxy:botnet="Gheg"

Gheg is also known as:

  • Tofsee

  • Mondera

Gheg has relationships with:

  • similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"

Table 653. Table References

Links

https://www.cert.pl/en/news/single/tofsee-en/

Nucrypt

The tag is: misp-galaxy:botnet="Nucrypt"

Table 654. Table References

Links

https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en

Wopla

The tag is: misp-galaxy:botnet="Wopla"

Table 655. Table References

Links

https://www.botnets.fr/wiki.old/index.php/Wopla

Asprox

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.

The tag is: misp-galaxy:botnet="Asprox"

Asprox is also known as:

  • Badsrc

  • Aseljo

  • Danmec

  • Hydraflux

Asprox has relationships with:

  • similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"

Table 656. Table References

Links

https://en.wikipedia.org/wiki/Asprox_botnet

Spamthru

Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The tag is: misp-galaxy:botnet="Spamthru"

Spamthru is also known as:

  • Spam-DComServ

  • Covesmer

  • Xmiler

Table 657. Table References

Links

http://www.root777.com/security/analysis-of-spam-thru-botnet/

Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

The tag is: misp-galaxy:botnet="Gumblar"

Table 658. Table References

Links

https://en.wikipedia.org/wiki/Gumblar

BredoLab

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

The tag is: misp-galaxy:botnet="BredoLab"

BredoLab is also known as:

  • Oficla

BredoLab has relationships with:

  • similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"

Table 659. Table References

Links

https://en.wikipedia.org/wiki/Bredolab_botnet

Grum

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.

The tag is: misp-galaxy:botnet="Grum"

Grum is also known as:

  • Tedroo

  • Reddyb

Table 660. Table References

Links

https://en.wikipedia.org/wiki/Grum_botnet

Mega-D

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

The tag is: misp-galaxy:botnet="Mega-D"

Mega-D is also known as:

  • Ozdok

Table 661. Table References

Links

https://en.wikipedia.org/wiki/Mega-D_botnet

Kraken

The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.

The tag is: misp-galaxy:botnet="Kraken"

Kraken is also known as:

  • Kracken

Kraken has relationships with:

  • similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"

Table 662. Table References

Links

https://en.wikipedia.org/wiki/Kraken_botnet

Festi

The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.

The tag is: misp-galaxy:botnet="Festi"

Festi is also known as:

  • Spamnost

Table 663. Table References

Links

https://en.wikipedia.org/wiki/Festi_botnet

Vulcanbot

Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.

The tag is: misp-galaxy:botnet="Vulcanbot"

Table 664. Table References

Links

https://en.wikipedia.org/wiki/Vulcanbot

LowSec

The tag is: misp-galaxy:botnet="LowSec"

LowSec is also known as:

  • LowSecurity

  • FreeMoney

  • Ring0.Tools

TDL4

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).

The tag is: misp-galaxy:botnet="TDL4"

TDL4 is also known as:

  • TDSS

  • Alureon

TDL4 has relationships with:

  • similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"

Table 665. Table References

Links

https://en.wikipedia.org/wiki/Alureon#TDL-4

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

The tag is: misp-galaxy:botnet="Zeus"

Zeus is also known as:

  • Zbot

  • ZeuS

  • PRG

  • Wsnpoem

  • Gorhax

  • Kneber

Zeus has relationships with:

  • similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 666. Table References

Links

https://en.wikipedia.org/wiki/Zeus_(malware)

Kelihos

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

The tag is: misp-galaxy:botnet="Kelihos"

Kelihos is also known as:

  • Hlux

Kelihos has relationships with:

  • similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"

Table 667. Table References

Links

https://en.wikipedia.org/wiki/Kelihos_botnet

Ramnit

Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.

The tag is: misp-galaxy:botnet="Ramnit"

Ramnit has relationships with:

  • similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 668. Table References

Links

https://en.wikipedia.org/wiki/Botnet

Zer0n3t

The tag is: misp-galaxy:botnet="Zer0n3t"

Zer0n3t is also known as:

  • Fib3rl0g1c

  • Zer0n3t

  • Zer0Log1x

Chameleon

The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).

The tag is: misp-galaxy:botnet="Chameleon"

Table 669. Table References

Links

https://en.wikipedia.org/wiki/Chameleon_botnet

Mirai

Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.

The tag is: misp-galaxy:botnet="Mirai"

Mirai has relationships with:

  • similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 670. Table References

Links

https://en.wikipedia.org/wiki/Mirai_(malware)

https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

XorDDoS

XOR DDOS is a Linux trojan used to perform large-scale DDoS

The tag is: misp-galaxy:botnet="XorDDoS"

Table 671. Table References

Links

https://en.wikipedia.org/wiki/Xor_DDoS

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

The tag is: misp-galaxy:botnet="Satori"

Satori is also known as:

  • Okiru

Satori has relationships with:

  • similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"

Table 672. Table References

Links

https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/

https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant

BetaBot

The tag is: misp-galaxy:botnet="BetaBot"

BetaBot has relationships with:

  • similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"

Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).

The tag is: misp-galaxy:botnet="Hajime"

Hajime has relationships with:

  • similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"

Table 673. Table References

Links

https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/

https://en.wikipedia.org/wiki/Hajime_(malware)

https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/

Muhstik

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

The tag is: misp-galaxy:botnet="Muhstik"

Table 674. Table References

Links

https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/

Hide and Seek

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The tag is: misp-galaxy:botnet="Hide and Seek"

Hide and Seek is also known as:

  • HNS

  • Hide 'N Seek

Hide and Seek has relationships with:

  • similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"

Table 675. Table References

Links

https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/

https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/

https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/

Mettle

Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

The tag is: misp-galaxy:botnet="Mettle"

Table 676. Table References

Links

https://thehackernews.com/2018/05/botnet-malware-hacking.html

Owari

IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED

The tag is: misp-galaxy:botnet="Owari"

Owari has relationships with:

  • similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 677. Table References

Links

https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

Brain Food

Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.

The tag is: misp-galaxy:botnet="Brain Food"

Table 678. Table References

Links

https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn

Pontoeb

The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding

The tag is: misp-galaxy:botnet="Pontoeb"

Pontoeb is also known as:

  • N0ise

Table 679. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Pontoeb.J

http://dataprotectioncenter.com/general/are-you-beta-testing-malware/

Trik Spam Botnet

The tag is: misp-galaxy:botnet="Trik Spam Botnet"

Trik Spam Botnet is also known as:

  • Trik Trojan

Table 680. Table References

Links

https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/

Madmax

The tag is: misp-galaxy:botnet="Madmax"

Madmax is also known as:

  • Mad Max

Madmax has relationships with:

  • similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"

Table 681. Table References

Links

https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml

Pushdo

The tag is: misp-galaxy:botnet="Pushdo"

Pushdo has relationships with:

  • similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"

Table 682. Table References

Links

https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/

Simda

The tag is: misp-galaxy:botnet="Simda"

Simda has relationships with:

  • similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"

Table 683. Table References

Links

https://www.us-cert.gov/ncas/alerts/TA15-105A

Virut

The tag is: misp-galaxy:botnet="Virut"

Virut has relationships with:

  • similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"

Table 684. Table References

Links

https://en.wikipedia.org/wiki/Virut

Bamital

The tag is: misp-galaxy:botnet="Bamital"

Bamital is also known as:

  • Mdrop-CSK

  • Agent-OCF

Table 686. Table References

Links

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital

https://www.symantec.com/security-center/writeup/2010-070108-5941-99

Gafgyt

Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The tag is: misp-galaxy:botnet="Gafgyt"

Gafgyt is also known as:

  • Bashlite

Gafgyt has relationships with:

  • similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"

  • similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"

Table 687. Table References

Links

https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/

https://www.symantec.com/security-center/writeup/2014-100222-5658-99

Sora

Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.

The tag is: misp-galaxy:botnet="Sora"

Sora is also known as:

  • Mirai Sora

Sora has relationships with:

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

Table 688. Table References

Links

https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

Torii

we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

The tag is: misp-galaxy:botnet="Torii"

Torii has relationships with:

  • similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"

Table 689. Table References

Links

https://blog.avast.com/new-torii-botnet-threat-research

https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/

Persirai

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

The tag is: misp-galaxy:botnet="Persirai"

Persirai has relationships with:

  • similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"

Table 690. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

Chalubo

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

The tag is: misp-galaxy:botnet="Chalubo"

Table 691. Table References

Links

https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/

AESDDoS

Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.

The tag is: misp-galaxy:botnet="AESDDoS"

Table 692. Table References

Links

https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/

Arceus

A set of DDoS botnet.

The tag is: misp-galaxy:botnet="Arceus"

Arceus is also known as:

  • Katura

  • MyraV

  • myra

Mozi

Mozi infects new devices through weak telnet passwords and exploitation.

The tag is: misp-galaxy:botnet="Mozi"

Table 693. Table References

Links

https://blog.netlab.360.com/mozi-another-botnet-using-dht/

https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/

https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/

UPAS-Kit

UPAS-Kit was advertised by auroras a/k/a vinny in middle of june 2012 via exploit.in. Upas is the predecessor of Kronos. Marcus Hutchins helped create and, in partnership with another, sell malicious computer code, a/k/a malware, known as UPAS-Kit.

The tag is: misp-galaxy:botnet="UPAS-Kit"

UPAS-Kit is also known as:

  • Rombrast

Table 694. Table References

Links

https://research.checkpoint.com/2018/deep-dive-upas-kit-vs-kronos/

https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html

https://web.archive.org/web/20130120062602/http://onthar.in/articles/upas-kit-analysis/

https://regmedia.co.uk/2019/04/19/plea.pdf

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

The tag is: misp-galaxy:botnet="Phorpiex"

Phorpiex is also known as:

  • Trik

Table 695. Table References

Links

https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

The tag is: misp-galaxy:botnet="DDG"

DDG has relationships with:

  • similar: misp-galaxy:malpedia="DDG" with estimative-language:likelihood-probability="likely"

Table 696. Table References

Links

https://twitter.com/JiaYu_521/status/1204248344043778048

https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/

https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/

https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/

https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/

https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/

https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg

Glupteba

A multi-component botnet targeting Windows Computer. Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. The botnet has been observed targeting victims worldwide, including the US, India, Brazil and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS).

The tag is: misp-galaxy:botnet="Glupteba"

Table 697. Table References

Links

https://blog.google/threat-analysis-group/disrupting-glupteba-operation/

Elknot

DDoS Botnet

The tag is: misp-galaxy:botnet="Elknot"

Elknot is also known as:

  • Linux/BillGates

  • BillGates

Table 698. Table References

Links

https://www.virusbulletin.com/conference/vb2016/abstracts/elknot-ddos-botnets-we-watched

https://www.virusbulletin.com/uploads/pdf/conference_slides/2016/Liu_Wang-vb-2016-TheElknotDDoSBotnetsWeWatched.pdf

Advanced modular botnet that is reportedly linked to the Sandworm or Voodoo Bear advanced persistent threat (APT) group.

The tag is: misp-galaxy:botnet="Cyclops Blink"

Table 699. Table References

Links

https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html

https://www.cisa.gov/uscert/ncas/alerts/aa22-054a

Abcbot

Botnet

The tag is: misp-galaxy:botnet="Abcbot"

Table 700. Table References

Links

https://blog.netlab.360.com/abcbot_an_evolving_botnet_en

Ripprbot

Botnet

The tag is: misp-galaxy:botnet="Ripprbot"

Table 701. Table References

Links

https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days

EnemyBot

In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.

This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.

It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.

Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.

The tag is: misp-galaxy:botnet="EnemyBot"

EnemyBot has relationships with:

  • similar: misp-galaxy:malpedia="EnemyBot" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Gafgyt" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"

  • variant-of: misp-galaxy:botnet="Qbot" with estimative-language:likelihood-probability="likely"

Table 702. Table References

Links

https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/

https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot

https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet

https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers

Qbot

Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 – two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.

The tag is: misp-galaxy:botnet="Qbot"

Qbot is also known as:

  • QakBot

  • Pinkslipbot

Qbot has relationships with:

  • dropped: misp-galaxy:ransomware="ProLock" with estimative-language:likelihood-probability="likely"

  • used-by: misp-galaxy:ransomware="BlackBasta" with estimative-language:likelihood-probability="likely"

Table 703. Table References

Links

https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf

https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html

https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/

Dark.IoT

This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.

The tag is: misp-galaxy:botnet="Dark.IoT"

Dark.IoT has relationships with:

  • variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"

Table 704. Table References

Links

https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/

KmsdBot

Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.

The tag is: misp-galaxy:botnet="KmsdBot"

Table 705. Table References

Links

https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware

Branded Vulnerability

List of known vulnerabilities and attacks with a branding.

Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Unknown

Meltdown

Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.

The tag is: misp-galaxy:branded-vulnerability="Meltdown"

Spectre

Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.

The tag is: misp-galaxy:branded-vulnerability="Spectre"

Heartbleed

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.

The tag is: misp-galaxy:branded-vulnerability="Heartbleed"

Shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The tag is: misp-galaxy:branded-vulnerability="Shellshock"

Ghost

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

The tag is: misp-galaxy:branded-vulnerability="Ghost"

Stagefright

Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.

The tag is: misp-galaxy:branded-vulnerability="Stagefright"

Badlock

Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.

The tag is: misp-galaxy:branded-vulnerability="Badlock"

Dirty COW

Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.

The tag is: misp-galaxy:branded-vulnerability="Dirty COW"

POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

The tag is: misp-galaxy:branded-vulnerability="POODLE"

BadUSB

The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.

The tag is: misp-galaxy:branded-vulnerability="BadUSB"

ImageTragick

The tag is: misp-galaxy:branded-vulnerability="ImageTragick"

Blacknurse

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.

The tag is: misp-galaxy:branded-vulnerability="Blacknurse"

SPOILER

SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.

The tag is: misp-galaxy:branded-vulnerability="SPOILER"

Table 706. Table References

Links

https://arxiv.org/pdf/1903.00446v1.pdf

https://appleinsider.com/articles/19/03/05/new-spoiler-vulnerability-in-all-intel-core-processors-exposed-by-researchers

https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert_-intel_cpus_impacted_by_new_vulnerability/1[https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert-_intel_cpus_impacted_by_new_vulnerability/1]

https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/

https://www.bleepingcomputer.com/news/security/amd-believes-spoiler-vulnerability-does-not-impact-its-processors/

BlueKeep

A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware

The tag is: misp-galaxy:branded-vulnerability="BlueKeep"

Table 707. Table References

Links

https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/

Cert EU GovSector

Cert EU GovSector.

Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Various

Constituency

The tag is: misp-galaxy:cert-eu-govsector="Constituency"

EU-Centric

The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"

EU-nearby

The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"

World-class

The tag is: misp-galaxy:cert-eu-govsector="World-class"

Unknown

The tag is: misp-galaxy:cert-eu-govsector="Unknown"

Outside World

The tag is: misp-galaxy:cert-eu-govsector="Outside World"

China Defence Universities Tracker

The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre..

China Defence Universities Tracker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
authors

Australian Strategic Policy Institute

Academy of Military Science (中国人民解放军军事科学院)

AMS is responsible for leading and coordinating military science for the whole military. AMS is involved in not only the development of theory, strategy, and doctrine but also advancing national defense innovation. Pursuant to the PLA reforms, AMS has undergone dramatic changes starting in June 2017. At a July 2017 ceremony marking the AMS’s reorganisation, Xi urged the AMS to construct a ‘world-class military scientific research institution.’ Through the National Defence Science and Technology Innovation Institute, the AMS is pursuing research in cutting-edge technologies including unmanned systems, artificial intelligence, biotechnology and quantum technology.

The tag is: misp-galaxy:china-defence-universities="Academy of Military Science (中国人民解放军军事科学院)"

Table 708. Table References

Links

https://unitracker.aspi.org.au/universities/academy-of-military-science

Aero Engine Corporation of China (中国航空发动机集团有限公司)

AECC is a leading producer of aircraft parts for the People’s Liberation Army (PLA), having separated from its parent company the Aviation Industry Corporation of China (AVIC) in 2016. The company reports having 27 affiliated or subordinate companies, three major listed companies, and 84,000 staff. AVIC and the Commercial Aircraft Corporation of China (also known as COMAC) are major shareholders in AECC.AECC’s main products include aircraft engines, combustion gas turbines, and transmission systems. AECC also develops aircraft power units, helicopter drive systems, monocrystalline blades, turbine disks, and graphene.AECC was established in order to improve China’s capability in developing domestically built aircraft engines as part of the ‘Made in China 2025’ program. A priority is strengthening its supply chains within China. Though indigenously developed engines have proven challenging for AECC, the company had purported success in providing thrust vector control technology for the J-10B fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aero Engine Corporation of China (中国航空发动机集团有限公司)"

Table 709. Table References

Links

https://unitracker.aspi.org.au/universities/aero-engine-corporation-of-china

Air Force Command College (中国人民解放军空军指挥学院)

The PLA Air Force Command College in Beijing is considered the PLA Air Force’s ‘peak institution for educating mid-rank and senior officers’ for command posts across the service. The college has a long history and was initially established in Nanjing during the early years of the People’s Republic in 1958.The Air Force Command College offers a range of degree programmes, mainly at the postgraduate level, including training in military disciplines such as military history, strategy, and tactics. It has published research on control science and radar. The college’s other specialties include battlefield command, military operations as well as political–ideological education.

The tag is: misp-galaxy:china-defence-universities="Air Force Command College (中国人民解放军空军指挥学院)"

Table 710. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-command-college

Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)

The Air Force Communications Officers Academy is the PLA’s premier institution for the training of non-commissioned officers in communications systems and security. Established in 1986 as the Dalian Communications NCO College, the institution was renamed after Xi Jinping’s military reforms in 2017. The academy’s areas of research include command automation and satellite communications, along with wired and wireless communications.

The tag is: misp-galaxy:china-defence-universities="Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)"

Table 711. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-communications-officers-college

Air Force Early Warning Academy (中国人民解放军空军预警学院)

The Air Force Early Warning Academy is ‘an institution that trains military personnel from the PLA Air Force and Navy’s radar and electronic warfare units in command, engineering and technology’ that was established after the amalgamation of the Air Defence Academy and Radar College in 1958. As such, the Air Force Early Warning Academy focuses its research on radar engineering, information command systems engineering, networked command engineering, and early warning detection systems.

The tag is: misp-galaxy:china-defence-universities="Air Force Early Warning Academy (中国人民解放军空军预警学院)"

Table 712. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-early-warning-academy

Air Force Engineering University (中国人民解放军空军工程大学)

The Air Force Engineering University (AFEU) is one of the PLA’s five comprehensive universities alongside NUDT, Naval Engineering University, PLA Information Engineering University and Army Engineering University. It trains students in a variety of engineering and military disciplines related to air combat.AFEU currently has around 8,000 students, including 1,600 postgraduate students. Its priority areas include technical studies in information and communication systems engineering as well as in social sciences such as in professional military training. Research into unmanned aerial vehicle technology is another important area of research at the university. In 2017, China’s Ministry of Education ranked AFEU equal fourth for armament science out of nine universities, only awarding it a B- grade for the discipline.Colleges under AFEU include:

The tag is: misp-galaxy:china-defence-universities="Air Force Engineering University (中国人民解放军空军工程大学)"

Table 713. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-engineering-university

Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)

Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)

The tag is: misp-galaxy:china-defence-universities="Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)"

Table 714. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-flight-academy-shijiazhuang

Air Force Harbin Flight Academy (空军哈尔滨飞行学院)

The Academy is home to the Air Force Harbin Flight Academy Simulation Training Center, 2,500m2 large-scale aircraft simulator where students can train in simulated transport and bomber aircraft. The Academy hopes to continue developing the Simulation Training Center into a ‘laboratory for air operations,’ including advanced trainings like simulated tactical confrontations.

The tag is: misp-galaxy:china-defence-universities="Air Force Harbin Flight Academy (空军哈尔滨飞行学院)"

Table 715. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-harbin-flight-academy

Air Force Logistics University (中国人民解放军空军后勤学院)

The Air Force Logistics University is an institution devoted to the study of command, management and technology for the PLA, established in Shanxi by the Central Military Commission in 1954. The university focusses its research on ‘management engineering’ for military equipment such as weaponry and aircraft fuel and also maintains research programmes on air battle command and personnel management.

The tag is: misp-galaxy:china-defence-universities="Air Force Logistics University (中国人民解放军空军后勤学院)"

Table 716. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-logistics-university

Air Force Medical University (中国人民解放军空军军医大学)

The Air Force Medical University, also known as the Fourth Military Medical University, is the PLA’s premier institution for research into medical and psychological sciences, having been placed under command of the Air Force after Xi Jinping’s military reforms in 2017. Its major areas of study are medical and psychological sciences tailored for personnel engaging in air and space operations, military preventative medicine and various other forms of clinical research.The Air Force Medical University conducts significant amounts of psychological research. Scientists from the Air Force Medical University have written studies on suicide, mental health across China, and mental health in military universities. The university’s scientists have also looked at the extent to which mindfulness training can reduce anxiety for undergraduates at military universities, and at how fear induced by virtual combat scenarios impacts decision-making. This indicates that the university is interested in issues of troop morale and decision-making in high-stress situations.

The tag is: misp-galaxy:china-defence-universities="Air Force Medical University (中国人民解放军空军军医大学)"

Table 717. Table References

Links

https://unitracker.aspi.org.au/universities/fourth-military-medical-university

Air Force Research Institute (中国人民解放军空军研究院)

The Air Force Research Institute is an air force scientific research institute, the successor to the Air Force Equipment Academy (空军装备研究院), that was established in 2017. The institute runs the Key Laboratory of Complex Aviation System Simulation (复杂航空系统仿真国防重点实验室) and carries out research on areas such as aircraft design, flight control, guidance and navigation, and electronic countermeasures.

The tag is: misp-galaxy:china-defence-universities="Air Force Research Institute (中国人民解放军空军研究院)"

Table 718. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-research-institute

Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)

Created upon the merger of the PLA Air Force’s Second and Fifth Flight Academies in 2011, the Air Force Xi’an Flight Academy specialises in training airmen in aviation while passing on the PLA’s ‘revolutionary traditions’. It remains ‘one of the Air Force’s three advanced institutions in air combat, and is known to train the PLA Air Force’s JJ-7 fighter pilots. Given this focus on training, the institution engages in little scientific research.

The tag is: misp-galaxy:china-defence-universities="Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)"

Table 719. Table References

Links

https://unitracker.aspi.org.au/universities/air-force-xian-flight-academy

Anhui University (安徽大学)

Anhui University is overseen by the Anhui Provincial Government. In January 2019, defence industry agency SASTIND and the Anhui Provincial Government signed an agreement to jointly develop Anhui University. This agreement with SASTIND suggests that the university will increase its role in defense research in the future.

The tag is: misp-galaxy:china-defence-universities="Anhui University (安徽大学)"

Table 720. Table References

Links

https://unitracker.aspi.org.au/universities/anhui-university

Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)

The Army Academy of the Armored Forces is China’s lead institute responsible for training and research for armoured combat. This includes a focus on tank warfare, mechanised artillery and infantry operations. The academy offers training in ‘armored combat command, surveillance and intelligence, operational tactics’ as well as in engineering disciplines relevant to operations involving the PLA Ground Force’s armoured corps, such as materials science, mechanical engineering, electrical engineering and automation, communications engineering, weapons systems engineering and photoelectric information science.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)"

Table 721. Table References

Links

https://unitracker.aspi.org.au/universities/army-academy-of-armored-forces

Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)

The Army Academy of Artillery and Air Defense is an institution devoted to training artillery and air defence officers in the PLA Ground Force. Its areas of focus include electrical engineering and automation, munitions engineering and explosives technology, radar engineering, and missile engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)"

Table 722. Table References

Links

https://unitracker.aspi.org.au/universities/army-academy-of-artillery-and-air-defense

Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)

With a history dating back to 1941, the Army Academy of Border and Coastal Defense is the only institution of higher education devoted to training PLA Ground Force personnel in border and coastal defence operations. Its subjects of focus include firepower command and control engineering, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)"

Table 723. Table References

Links

https://unitracker.aspi.org.au/universities/army-academy-of-border-and-coastal-defense

Army Aviation College (中国人民解放军陆军航空兵学院)

The Army Aviation College is the PLA’s institution responsible for training mid-career helicopter pilots from the PLA Air Force and aviation officers from the PLA Ground Force. The college’s subject areas include aircraft and engine design, aviation communications and air defence systems, flight radar maintenance engineering, and combat aircraft maintenance engineering.

The tag is: misp-galaxy:china-defence-universities="Army Aviation College (中国人民解放军陆军航空兵学院)"

Table 724. Table References

Links

https://unitracker.aspi.org.au/universities/army-aviation-college

Army Engineering University (中国人民解放军陆军工程大学)

The Army Engineering University was established in 2017 following the abolition of the PLA University of Science and Technology. The university is devoted to research on ‘engineering, technology and combat command systems’ for the PLA Land Force.The university’s areas of research include:

The tag is: misp-galaxy:china-defence-universities="Army Engineering University (中国人民解放军陆军工程大学)"

Table 725. Table References

Links

https://unitracker.aspi.org.au/universities/army-engineering-university

Army Infantry Academy (中国人民解放军陆军步兵学院)

The Army Infantry Academy is a higher education institution in China devoted to providing elementary training in command for infantry soldiers in the PLA Ground Force. The academy teaches courses in operational disciplines such as command information systems engineering, armored vehicles engineering and weapons systems engineering. As well as providing formal teaching, the Army Infantry Academy also provides oversight for training exercises and electronic warfare simulations.

The tag is: misp-galaxy:china-defence-universities="Army Infantry Academy (中国人民解放军陆军步兵学院)"

Table 726. Table References

Links

https://unitracker.aspi.org.au/universities/army-infantry-academy

Army Medical University (中国人民解放军陆军军医大学)

The PLA Army Medical University, formerly known as the Third Military Medical University, is a medical education university affiliated with the PLA Ground Force. It was formed in 2017 through a merger with the PLA Western Theater Command Urumqi Comprehensive Training Base’s Military Medical Training Brigade and the Tibet Military Region’s Eighth Hospital. The Army Medical University includes six national key laboratories and 32 Ministry of Education or military key laboratories. It has won military awards for science and technology progress and seven national science and technology prizes.

The tag is: misp-galaxy:china-defence-universities="Army Medical University (中国人民解放军陆军军医大学)"

Table 727. Table References

Links

https://unitracker.aspi.org.au/universities/army-medical-university

Army Military Transportation Academy (中国人民解放军陆军军事交通学院)

The Army Military Transport Academy is a higher education institution devoted to training PLA Ground Force personnel in military transport and logistics. The academy focusses on military transport command engineering, command and automation engineering, ordnance engineering, and armament sustainment command.

The tag is: misp-galaxy:china-defence-universities="Army Military Transportation Academy (中国人民解放军陆军军事交通学院)"

Table 728. Table References

Links

https://unitracker.aspi.org.au/universities/army-military-transportation-academy-2

Army Research Institute (中国人民解放军陆军研究院)

The Army Research Institute is an institution devoted to advanced defence research with applications to land warfare. The institute engages in a variety of defence research including radar technology, lasers, and hybrid electric vehicles. Researchers from the institute are known to have collaborated with partners from China’s civilian universities in areas such as advanced manufacturing and automatic control, and laser technology.The Army Research Institute collaborates with civilian companies as part of China’s military-civil fusion program. For example, General Guo Guangsheng from the Army Research Institute made a visit to Hong Run Precision Instruments Co. Ltd. (虹润精密仪器有限公司) on 24 August 2019 to assess how the company was performing in its military-civil fusion activities. Researchers from the Army Research Institute have also been involved in the product design and development of dual-use automobiles as part of a military-civil fusion project called ‘Research, Development and Commerialisation of Advanced Off-road Passenger Vehicles’ (新一代军民通用高端越野乘用汽车研发及产业化). The project included research into vehicles such as the BJ80 military and civilian off-road passenger vehicles as well as the BJ40L off-road vehicle.

The tag is: misp-galaxy:china-defence-universities="Army Research Institute (中国人民解放军陆军研究院)"

Table 729. Table References

Links

https://unitracker.aspi.org.au/universities/army-research-institute

Army Service Academy (中国人民解放军陆军勤务学院)

The Army Service Academy is an institution of higher education in the PLA devoted to training personnel in a variety of logistics disciplines. The logistics disciplines taught at the academy include: fuel logistics, military facility management, military procurement management, and integrated logistics management. Its areas of focus for defence research include military energy engineering, defence engineering, and management science and engineering.

The tag is: misp-galaxy:china-defence-universities="Army Service Academy (中国人民解放军陆军勤务学院)"

Table 730. Table References

Links

https://unitracker.aspi.org.au/universities/army-service-academy

Army Special Operations Academy (中国人民解放军陆军特种作战学院)

The academy’s key subjects include special operations command, surveillance and intelligence, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Special Operations Academy (中国人民解放军陆军特种作战学院)"

Table 731. Table References

Links

https://unitracker.aspi.org.au/universities/army-special-operations-academy

Aviation Industry Corporation of China (中国航空工业集团有限公司)

AVIC is a state-owned defence conglomerate established in 2008 that focuses on providing aerospace products for military and civilian customers. AVIC’s main product lines include a variety of aircraft for freight, commercial and military aviation along with other more specialised products such as printed circuit boards, liquid crystal displays and automotive parts, according to Bloomberg. AVIC also provides services to the aviation sector through flight testing, engineering, logistics and asset management.The conglomerate has over 400,000 employees and has a controlling share in around 200 companies. AVIC has over 25 subsidiaries listed on its website.AVIC is the PLA Air Force’s largest supplier of military aircraft, producing fighter jets, strike aircraft, unmanned aerial vehicles and surveillance aircraft. Along with its core work on military aircraft, AVIC also produces surface-to-air, air-to-surface and air-to-air missiles. Its headline projects include the J-10 and the J-11 fighter aircraft. AVIC’s subsidiary, the Shenyang Aircraft Corporation, was responsible for delivery of the J-15 fighter. Another subsidiary of AVIC, the Chengdu Aerospace Corporation, developed the PLA-AF’s J-20 stealth fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aviation Industry Corporation of China (中国航空工业集团有限公司)"

Table 732. Table References

Links

https://unitracker.aspi.org.au/universities/aviation-industry-corporation-of-china

Aviation University of Air Force (中国人民解放军空军航空大学)

AUAF is one of China’s main institutions devoted to the training of air force pilots. Its areas of focus are training in flight command and research into aeronautical engineering. Disciplines taught at AUAF include command science and engineering, aerospace science and technology as well as political work and military command.AUAF scientists publish and attend conferences on radar technology and electronic countermeasures. For example, scientists from AUAF’s Information Countermeasures Division co-authored a publication on radar target recognition with a researcher from the PLA’s Unit 94936 – an aviation unit stationed in Hangzhou. AUAF scientists have also done notable work on complex systems radar and signal pre-sorting.

The tag is: misp-galaxy:china-defence-universities="Aviation University of Air Force (中国人民解放军空军航空大学)"

Table 733. Table References

Links

https://unitracker.aspi.org.au/universities/aviation-university-of-air-force

Beihang University (北京航空航天大学)

Beihang University engages in very high levels of defence research as one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. The university specialises in aviation and spaceflight research. The top four employers of Beihang graduates in 2018 were all state-owned missile or defence aviation companies. In total, 29% of 2018 Beihang graduates who found employment were working in the defence sector.Beihang scientists are involved in the development of Chinese military aircraft and missiles. In 2018, the university signed a comprehensive strategic cooperation agreement with China Aerospace Science and Technology Corporation, a state-owned conglomerate that produces ballistic missiles and satellites. The university is also noteworthy for its leading research on stealth technology.Beihang hosts at least eight major defence laboratories working on fields such as aircraft engines, inertial navigation and fluid dynamics.

The tag is: misp-galaxy:china-defence-universities="Beihang University (北京航空航天大学)"

Table 734. Table References

Links

https://unitracker.aspi.org.au/universities/beihang-university

Beijing Electronic Science and Technology Institute (北京电子科技学院)

BESTI is a secretive university that trains information security experts for the bureaucracy. The institute is the only university run by the CCP General Office, which manages administrative matters for the Central Committee. The General Office is usually run by one of the general secretary’s most trusted aides. It oversees China’s cryptographic and state secrets agency as well as security for the party’s leadership.BESTI has a student population of around 2,000 and has strict admission requirements. Students at the university are scrutinized for their political beliefs, and are typically CCP or Communist Youth League members. The activities of their relatives are screened for political issues. Having no parents or siblings who worked abroad or were involved in ‘illegal organisations’ is a condition of enrolment. The institute claims to count 50 ministerial-level party officials among its 12,000 graduates.BESTI has a close relationship with Xidian University and Beijing University of Posts and Telecommunications. The two universities are its primary collaborators on scientific papers. BESTI runs joint master’s programs with Xidian University in cryptography, information and communication engineering, and computer applications technology. It also has joint doctoral programs with the University of Science and Technology of China and Beijing University of Posts and Telecommunications in cybersecurity.The university runs the Key Laboratory of Information Security (信息安全重点实验室/信息安全与保密重点实验室). Several websites claim that it runs a joint laboratory with the Chinese Academy of Sciences Institute of High Energy Physics, but this could not be confirmed.

The tag is: misp-galaxy:china-defence-universities="Beijing Electronic Science and Technology Institute (北京电子科技学院)"

Table 735. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-electronic-science-and-technology-institute

Beijing Institute of Technology (北京理工大学)

BIT is one of the ‘Seven Sons of National Defence’ supervised by MIIT. It is a leading centre of military research and one of only fourteen institutions accredited to award doctorates in weapons science. In 2017, China’s Ministry of Education ranked BIT and Nanjing University of Science and Technology as the country’s top institutions for weapons science. It has received the most defence research prizes and defence patents out of all China’s universities. 31.80% of BIT graduates in 2018 who found employment were working in the defence sector.BIT’s claimed achievements include producing the PRC’s first light tank, first two-stage solid sounding rocket and first low-altitude altimetry radar. The university also states that it carries out world-class research on several areas of missile technology including “precision strikes, high damage efficiency, maneuver penetration, long-range suppression, and military communications systems and counter-measures”. In 2018, BIT announced that it was running a four-year experimental program training some of China’s top high school students in intelligent weapons systems.BIT is the chair of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).BIT’s central role in advancing PLA warfighting capability is demonstrated by the fact that it participated in the development of equipment used by 22 of the 30 squads in the 2009 military parade for the 60th anniversary of the founding of the PRC.

The tag is: misp-galaxy:china-defence-universities="Beijing Institute of Technology (北京理工大学)"

Table 736. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-institute-of-technology

Beijing University of Chemical Technology (北京化工大学)

BUCT is subordinate to the Ministry of Education. The university engages in high levels of defence research. In 2016, the Ministry of Education and defence industry agency SASTIND agreed to jointly construct BUCT, a move designed to expand its involvement in defence research.Between 2011 and 2015, the university’s spending on defence research reached RMB272 million (AUD56 million), approximately 15% of the university’s research spending and an increase of around 50% over the previous five years.BUCT specialises in the development and application of critical materials for the defence industry. Its research on carbon fibres has been applied to the aerospace industry.BUCT holds secret-level security credentials, allowing it to participate in classified defence and weapons technology projects.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Chemical Technology (北京化工大学)"

Table 737. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-university-of-chemical-technology

Beijing University of Posts and Telecommunications (北京邮电大学)

BUPT is subordinate to the Ministry of Education in addition to being jointly constructed by the Ministry of Industry and Information Technology. BUPT is one of eight Chinese universities known to have received top-secret security credentials. Since its establishment, the university has focused on information engineering and computer science, and has continued to produce important defence and security technology research.The School of Cyberspace Security is home to one of the university’s two defence laboratories—the Key Laboratory of Network and Information Attack & Defense Technology of Ministry of Education—which carries out research for the Chinese military related to cyber attacks.BUPT is a member of several military-civilian fusion (MCF) alliances and has been awarded for its contributions to MCF and the PLA. During the past three years, major employers of BUPT graduates include the Ministry of State Security, the Ministry of Public Security and MIIT. This suggests a close relationship between BUPT and China’s security and intelligence agencies.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Posts and Telecommunications (北京邮电大学)"

Table 738. Table References

Links

https://unitracker.aspi.org.au/universities/beijing-university-of-posts-and-telecommunications

Central South University (中南大学)

Out of all universities subordinate to the MOE, CSU reportedly receives the most military research funding and was the first to receive a weapons production license. In 2008 and 2011 respectively, the defence industry agency SASTIND and the Ministry of Education (MOE) signed agreements to jointly supervise CSU. Under this arrangement, SASTIND committed to expanding CSU’s involvement in defence research and support the development of its School of Aeronautics and Astronautics and Military Industry Technology Research Institute.CSU’s defence research appears to focus on metallurgy, materials science, and aviation technology, including the development of heat-resistant materials for aeroplane and rocket engines. The university has been involved in the development of China’s first atomic bomb, first intermediate-range ballistic missile, and first nuclear submarine. In 2018, it signed a strategic cooperation agreement with the Chinese Academy of Launch Vehicle Technology, a subsidiary of China Aerospace Science and Technology Corporation that is included on the US BIS Entity List for its involvement in developing rockets.

The tag is: misp-galaxy:china-defence-universities="Central South University (中南大学)"

Table 739. Table References

Links

https://unitracker.aspi.org.au/universities/central-south-university

Changchun University of Science and Technology (长春理工大学)

CUST is primarily supervised by the Jilin Provincial Government but has also been under the administration of SASTIND and its predecessors for over 30 years over its history. The university specialises in photoelectric technology and has a strong focus on defence research. CUST describes itself as having ‘safeguarding national defence as its sublime responsibility and sacred mission.’CUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armaments science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). In April 2018, CUST established the School of Artificial Intelligence (人工智能学院) and the Artificial Intelligence Research Institute (人工智能研究院 ). CUST researchers working on AI are likely involved in research related to facial recognition technology.

The tag is: misp-galaxy:china-defence-universities="Changchun University of Science and Technology (长春理工大学)"

Table 740. Table References

Links

https://unitracker.aspi.org.au/universities/changchun-university-of-science-and-technology

China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)

CARDC claims to be China’s largest aerodynamics research and testing base. It hosts the State Key Laboratory of Aerodynamics (空气动力学国家重点实验室), which includes five wind tunnels and a large computer cluster. CARDC is heavily involved in research on hypersonics.While CARDC is a military unit, its website does not mention this. The PLA officers leading the facility are instead pictured on its website in civilian clothes(pictured: CARDC director, Major General Fan Zhaolin (范召林) in uniform (above) and in civilian attire on CARDC’s website (below).

The tag is: misp-galaxy:china-defence-universities="China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)"

Table 741. Table References

Links

https://unitracker.aspi.org.au/universities/china-aerodynamics-research-and-development-center

China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)

CASIC specialises in defence equipment and aerospace products, particularly short- and medium-range missiles. CASIC is a leading provider to the Chinese military of high-end capabilities such as air-defence, cruise, and ballistic missile systems along with space launch vehicles, micro-satellites and anti-satellite interceptors, according to Mark Stokes and Dean Cheng. CASIC employs over 146,000 employees and is on the Fortune 500 list with revenue exceeding USD37 billion (AUD55 billion).Although defence products form part of CASIC’s main product line, the company also produces products for civilian customers such as electronics, communications equipment and medical equipment. Nevertheless, CASIC claims that it ‘will always uphold its core value of ranking national interests above all’, which indicates that civilian products receive less priority than defence equipment.

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)"

Table 742. Table References

Links

https://unitracker.aspi.org.au/universities/china-aerospace-science-and-industry-corporation

China Aerospace Science and Technology Corporation (中国航天科技集团)

CASC was established in 1999 as a defence aerospace conglomerate. The company is primarily focused on ‘developing carrier rockets, various kinds of satellites, … and tactical missile systems.’ With revenues nearing USD38 billion (AUD55 billion), CASC employs nearly 180,000 personnel and is on the Fortune 500 list.PLA experts Mark Stokes and Dean Cheng have noted that CASC’s main products for the PLA include ‘ballistic missiles and space launch vehicles, large solid rocket motors, liquid fuelled engines, satellites, and related sub-assemblies and components.’ The Federation of American Scientists claims CASC is particularly advanced in high-energy propellant technology, satellite applications, strap-on boosters and system integration.CASC maintains an investment business which may be geared towards civilian purposes, according to Bloomberg. The Federation of American Scientists notes that some civilian product lines for CASC include ‘machinery, chemicals, communications equipment, transportation equipment, computers, medical care products and environmental protection equipment.’CASC oversees multiple research academies, which have been separately identified by Mark Stokes and Dean Cheng and by the Nuclear Threat Initiative.The Nuclear Threat Initiative has identified that CASC has the following subordinate companies:

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Technology Corporation (中国航天科技集团)"

Table 743. Table References

Links

https://unitracker.aspi.org.au/universities/china-aerospace-science-and-technology-corporation

China Coast Guard Academy (中国人民武装警察部队海警学院)

The China Coast Guard Academy is an institution of higher learning that trains personnel for entry into China’s maritime border defence agency. The academy teaches conducts research and training in maritime law enforcement, warship technology as well as surveillance and intelligence disciplines.The China Coast Guard Academy established the Large Surface Vessel Operation and Simulation Laboratory (大型船艇操纵仿真实验室) in 2016, which focuses on the development of white-hulled boats for the China Coast Guard.

The tag is: misp-galaxy:china-defence-universities="China Coast Guard Academy (中国人民武装警察部队海警学院)"

Table 744. Table References

Links

https://unitracker.aspi.org.au/universities/china-coast-guard-academy

China Electronics Corporation (中国电子信息产业集团有限公司)

CEC is a state-owned conglomerate that produces dual-use electronics. The company was established in 1989 to produce semi-conductors, electronic components, software and telecommunications products. The company describes itself as a defence industry conglomerate.CEC is one of China’s largest companies with nearly 120 thousand employees. CEC claims to hold 22 subordinate enterprises and 14 listed companies. Global Security has provided a list of CEC’s 36 member companies in English.CEC is divided into two operational groups. First is the China Electronics Party Institute (中国电子党校), which provides disciplinary oversight and organises communist party activities within CEC. Second is the Science and Technology Committee (科学技术委员会), which is responsible for research and development within CEC.CEC’s defence electronics are developed by the Military Engineering Department (军工部) within CEC’s Science and Technology Committee. Key defence electronics produced by CEC include tracking stations, radar technology, as well as command and control systems. The company maintains its own office for the management of classified information related to defence research. The Federation of American Scientists has identified CEC’s defence-related enterprises on a list that can be found here.

The tag is: misp-galaxy:china-defence-universities="China Electronics Corporation (中国电子信息产业集团有限公司)"

Table 745. Table References

Links

https://unitracker.aspi.org.au/universities/china-electronics-corporation

China Electronics Technology Group Corporation (中国电子科技集团公司)

CETC is a state-owned defence conglomerate that specialises in dual-use electronics. The company was established in 2002 by bringing dozens of research institutes administered by the Ministry of Information Industry, the predecessor to the Ministry of Industry and Information Technology, under one umbrella.CETC is one of the world’s largest defence companies. It claims to have 523 subordinate units and companies and 160,000 employees.CETC divides its defence electronics products into seven categories: air base early warning, integrated electronic information systems, radar, communication and navigation, electronic warfare, UAVs and integrated IFF (identification, friend or foe). CETC also provides technology used for human rights abuses in Xinjiang, where approximately 1.5m are held in re-education camps.Several CETC research institutes and subsidiaries have been added to the US Government’s entity list, restricting exports to them on national security grounds. CETC has been implicated by the US Department of Justice in at least three cases of illegal exports.CETC has a large international market and has also expanded its international research collaboration in recent years. It has a European headquarters in Graz, Austria, and has invested in the University of Technology Sydney.

The tag is: misp-galaxy:china-defence-universities="China Electronics Technology Group Corporation (中国电子科技集团公司)"

Table 746. Table References

Links

https://unitracker.aspi.org.au/universities/china-electronics-technology-group-corporation

China National Nuclear Corporation (中国核工业集团有限公司)

CNCC is the leading state-owned enterprise for China’s civilian and military nuclear programs. It consists of more than 200 subordinate enterprises and research institutes, many of which are listed on the Nuclear Threat Initiative website. In 2018, CNNC took over China’s main nuclear construction company, China Nuclear Engineering and Construction Group (中国核工业建设集团).The company is organized into eight industrial sectors, including nuclear power, nuclear power generation, nuclear fuel, natural uranium, nuclear environmental protection, application of nuclear technologies, non-nuclear civilian products and new energy sources. CNNC is mainly engaged in research and development, design, construction and production operations in the fields of nuclear power, nuclear fuel cycle, nuclear technology application, and nuclear environmental protection engineering.Because of the dual-use nature of nuclear technologies, the nuclear industry is a typical military-civil fusion industry. Naval nuclear power technology and nuclear reactor technology in the reactor core, fuel assembly, safety and security, and radioactive waste treatment all use the same or very similar processes. In March 2019, CNNC established an military-civil fusion fund dedicated to dual-use nuclear technology research and design.Two CNNC subsidiaries have been added to the US Government’s Entity List, restricting exports to them on national security grounds.CNNC has cooperated with U.S. Westinghouse Electric to construct AP1000 nuclear power plants. The company also has a significant overseas presence, signing agreements for joint research with U.S., French, Canadian, U.K., Russian and Argentinian companies.

The tag is: misp-galaxy:china-defence-universities="China National Nuclear Corporation (中国核工业集团有限公司)"

Table 747. Table References

Links

https://unitracker.aspi.org.au/universities/china-national-nuclear-corporation

China North Industries Group (中国兵器工业集团公司)

Norinco Group was established in 1999 as a state-owned defence conglomerate devoted to the development and production of armaments for Chinese and foreign defence customers. Its main defence products include artillery and tear gas, air defence and anti-missile systems, anti-tank missiles and precision-guided munitions as well as armoured vehicles such as main battle tanks and infantry combat vehicles. Bloomberg reports that Norinco Group’s civilian products include various engineering services and heavy-duty construction equipment. Norinco Group employs over 210,000 personnel, has revenues exceeding US$68.8 billion and is listed on the Fortune 500.Norinco Group has hundreds of subsidiaries and subordinate research institutes in China and around the world that have been catalogued by the International Peace Information Service and Omega Research Foundation in their working paper on the company and on Norinco Group’s website.Norinco Group’s Institute of Computer Application Technology (中国兵器工业计算机应用技术研究所) was one of the first adopters of internet technology and remains a leading company for research into network security. The institute hosts four internet research centres and is reported to work with the National Administration for State Secrets Protection (国家保密局) on the Information Security and Testing and Evaluation Centre (涉密信息系统安全保密测评中心).

The tag is: misp-galaxy:china-defence-universities="China North Industries Group (中国兵器工业集团公司)"

Table 748. Table References

Links

https://unitracker.aspi.org.au/universities/china-north-industries-group

China People’s Police University (中国人民警察大学)

The China People’s Police University is an institution of higher learning devoted to training active duty police officers and firefighters in command and management as well as specialist technical officers. The curriculum is separated into two main streams, one for police officers and the other for firefighters. Its police disciplines include immigrant management, entry-exit and border control management, security intelligence, cyber-security, and political work. Its firefighting disciplines include firefighting engineering, electronic information engineering, and nuclear and biochemical fire control.Research facilities at the university include:

The tag is: misp-galaxy:china-defence-universities="China People’s Police University (中国人民警察大学)"

Table 749. Table References

Links

https://unitracker.aspi.org.au/universities/china-peoples-police-university

China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)

CSIC was established as one of China’s primary state-owned defence companies on 1 July 1999. CSIC is the PLA Navy’s largest supplier of weapons platforms, accounting for nearly 80 per cent of all armaments. CSIC’s signature products include conventional and nuclear submarines, warships and torpedoes, as well as the Liaoning aircraft carrier program.CSIC maintains a civilian shipbuilding program alongside its program of supplying the PLA Navy. CSIC’s civilian work includes the production of oil and chemical tankers, container ships, bulk carriers and engineering ships.On 2 July 2019, it was announced that CSIC and the China State Shipbuilding Corporation would merge. According to Janes Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’ Nikkei has listed some of CSIC’s main subsidiaries here.

The tag is: misp-galaxy:china-defence-universities="China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)"

Table 750. Table References

Links

https://unitracker.aspi.org.au/universities/china-shipbuilding-industry-corporation

China South Industries Group (中国兵器装备集团有限公司)

CSGC is a leading producer of armaments for the People’s Liberation Army. It was founded in 1999 and works on technologies such as advanced munitions, mobile assault weapons, lights armaments, information optoelectronics and counter-terrorism equipment. CSGC also maintains civilian product lines focused on the oil and energy sector, but most of the company’s attention goes to developing armaments. The company employs nearly 200,000 personnel, its revenue approaches USD34 billion (AUD50 billion) and it is listed as a Fortune 500 company.CSGC holds a controlling share in more than 60 subsidiaries. 32 of these are listed on the company’s website.

The tag is: misp-galaxy:china-defence-universities="China South Industries Group (中国兵器装备集团有限公司)"

Table 751. Table References

Links

https://unitracker.aspi.org.au/universities/china-south-industries-group

China State Shipbuilding Corporation (中国船舶工业集团有限公司)

CSCC was established as one China’s primary state-owned weapons companies on 1 July 1999 to build ships for military and civilian customers. CSSC markets itself as as the ‘backbone’ of the Chinese navy and its core products include a variety of warships and support vessels. Alongside its program supporting the PLA Navy, Bloomberg notes that CSSC ‘produces oil tankers, bulk carriers, conditioner vessels, deepwater survey ships, and marine equipment.’On 2 July 2019, it was announced that the China Shipbuilding Industry Corporation and the CSSC would merge. According to Jane’s Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion (AUD178 billion) and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’

The tag is: misp-galaxy:china-defence-universities="China State Shipbuilding Corporation (中国船舶工业集团有限公司)"

Table 752. Table References

Links

https://unitracker.aspi.org.au/universities/china-state-shipbuilding-corporation

China University of Geosciences (Wuhan) (中国地质大学)

CUG is subordinate to the Ministry of Education and also supervised by China’s Ministry of Land and Resources. It is actively engaged in defence research and training on geology, hosting the defence-focused Ministry of Education Key Laboratory on Geological Exploration and Evaluation. The laboratory was established in 2018, has 56 staff, and trains students in ‘military geology’.CUG gained secret-level security credentials in 2009, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="China University of Geosciences (Wuhan) (中国地质大学)"

Table 753. Table References

Links

https://unitracker.aspi.org.au/universities/china-university-of-geosciences-wuhan

China University of Mining and Technology (中国矿业大学)

CUMT is subordinate to the Ministry of Education and specialises in engineering and other mining and industry-related disciplines. It engages in low levels of defence research.CUMT’s defence research revolves around manufacturing and design, materials science, control science, electronic components, power and energy, and bionics. It appears to be involved in the construction and design of underground bunkers for the military. The academic committee of its State Key Laboratory for Geomechanics and Deep Underground Engineering (深部岩石力学与地下工程国家红点实验室) is headed by PLA underground engineering expert Qian Qihu (钱七虎).

The tag is: misp-galaxy:china-defence-universities="China University of Mining and Technology (中国矿业大学)"

Table 754. Table References

Links

https://unitracker.aspi.org.au/universities/china-university-of-mining-and-technology

Chinese Academy of Engineering Physics (中国工程物理研究院)

CAEP was founded in 1958 and now has over 24,000 employees. It is headquartered in Mianyang, Sichuan Province, but also has facilities in Chengdu and Beijing. Notably, Mianyang is home to a military-civil fusion (MCF) demonstration base—the Sichuan Mianyang High-Technology City. Sichuan Military District Commander Jiang Yongshen (姜永申) in 2016 stressed the important role that Mianyang plays in China’s larger science and technology development and the significance of its military-civil fusion (MCF) demonstration base.The academy is best known for nuclear weapons, but also carries out research on directed-energy weapons. CAEP’s four main tasks are to develop nuclear weapons, research microwaves and lasers for nuclear fusion ignition and directed-energy weapons, study technologies related to conventional weapons, and deepen military-civil fusion. It claims that its research covers 260 specialising, primarily in the broad areas of physics and mathematics, mechanics and engineering, materials and chemistry, electronics and information, and optics and electrical engineering.CAEP hosts part of the Tianhe-2 supercomputer, one of the worlds fastest supercomputers.Despite the sensitivity of its work, CAEP has expanded its international presence in recent years. It claims to send hundreds of scientists overseas to study or work as visiting scholars. CAEP has also used Chinese government talent recruitment schemes such as the Thousand Talents Plan to recruit dozens of scientists from abroad. By 2015, CAEP had recruited 57 scholars through the Thousand Talents Plan, making it one of the largest recruiters of Thousand Talents Plan scholars.CAEP maintains strong collaborative relationships with Chinese civilian universities. It runs a joint laboratory with the University of Electronic Science and Technology of China and collaborates with universities and research institutions including the Chinese Academy of Sciences, the University of Science and Technology of China, Shandong University, Southwest University of Science and Technology, Sichuan University, Jilin University, Peking University and Tsinghua University. CAEP sponsors postgraduate students in many of these institutions who are required to work there for five years after graduating.

The tag is: misp-galaxy:china-defence-universities="Chinese Academy of Engineering Physics (中国工程物理研究院)"

Table 755. Table References

Links

https://unitracker.aspi.org.au/universities/chinese-academy-of-engineering-physics

Chongqing University (重庆大学)

CQU is a leading Chinese research institution subordinate to the Ministry of Education. Chongqing University is home to at least two laboratories devoted to defence research on nanotechnology and control systems. An institution accredited to conduct classified research, Chongqing University is active in improving its security culture with respect to the safeguarding of official secrets.In December 2016, the Ministry of Education entered an agreement with defence industry agency SASTIND to advance military-civil fusion at Chongqing University. Following this agreement, Chongqing University established the defence-focused Ministry of Education Key Laboratory for Complex Systems Safety and Autonomous Control, which works on control systems engineering in May 2018.

The tag is: misp-galaxy:china-defence-universities="Chongqing University (重庆大学)"

Table 756. Table References

Links

https://unitracker.aspi.org.au/universities/chongqing-university

Chongqing University of Posts and Telecommunications (重庆邮电大学)

CQUPT is involved in research on wireless network engineering and testing, next-generation wideband wireless communication, computer networking and information security, intelligent information processing, advanced manufacturing, micro-electronics and specialized chip design. It ranks among the top 100 universities in China for science and technology.The university is supervised by the Ministry of Industry and Information Technology and the Chongqing Municipal Government. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Posts and Telecommunications (重庆邮电大学)"

Table 757. Table References

Links

https://unitracker.aspi.org.au/universities/chongqing-university-of-posts-and-telecommunications

Chongqing University of Technology (重庆理工大学)

CQUT is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). However its involvement in defence research does not appear as expansive as the other B8 members and it is a relatively low-ranked university. In 2017, its president stated that ‘Chongqing is an important site for the weapons industry, but its military-industrial research and development ability has not yet upgraded.’ Unlike the other members of the B8, SASTIND does not appear to supervise the university.The university has links to Norinco Group and China South Industries Group, China’s largest weapons manufacturers, and was under the supervision of the conglomerates’ predecessor, China Ordnance Industry Corporation, until 1999. In 2017 and 2018, it signed a partnerships with four local defence companies to collaborate on research and training.In 2011, CQUT received secret-level security credentials, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Technology (重庆理工大学)"

Table 758. Table References

Links

https://unitracker.aspi.org.au/universities/chongqing-university-of-technology

Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)

COMAC was established in 2008 as a state-owned manufacturer of large commercial aircraft. The company oversees eleven subsidiaries that focus on various aspects of aircraft production. A list of COMAC’s subordinate companies can be found in English on the company’s website.Despite its focus on commercial aircraft, China’s Ministry of Industry and Information Technology has referred to it as a defence industry conglomerate. The company maintains strong links to China’s defence industry and some of its leadership is drawn from former executives at state-owned military aircraft and missile manufacturers. China’s leading producer of military aircraft, the Aviation Industry Corporation of China (AVIC), also holds a 10 per cent share in COMAC. COMAC supports the continued development of China’s defence industry by awarding ‘national defence technology scholarships’ to Chinese university students.COMAC’s signature passenger aircraft, the C919, offers an example of how the company could use its civilian aircraft production for military purposes. Numerous Chinese analysts have studied Boeing’s conversion of the 737 into the P-8 Poseidon and E-7A surveillance aircraft and argue that the C919 could also be retrofitted for early warning as well as anti-surface and anti-submarine warfare missions. With a greater flight range than China’s other military aircraft, a retrofitted C919 for maritime surveillance operations could reduce China’s dependence on artificial air bases in the South China Sea which currently render aircraft vulnerable to corrosion due to harsh weather conditions. Vice-Chairman of the Central Military Commission, Zhang Youxia, reportedly expressed an interest in learning from American companies in converting civilian aircraft into military aircraft while inspecting COMAC’s C919.

The tag is: misp-galaxy:china-defence-universities="Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)"

Table 759. Table References

Links

https://unitracker.aspi.org.au/universities/commercial-aircraft-corporation-of-china

Criminal Investigation Police University of China (中国刑事警察学院)

CIPUS was founded in May 1948 and underwent several name changes, but was upgraded in 1981 to become the first police university offering a specialised undergraduate degree program. It runs a national engineering laboratory, two MPS key laboratories, and provincial key laboratories. It is focused on training in criminal investigation, criminology science and technology and criminal law.The university also has relationships with companies that provide the technological tools that contribute to the PRC’s public security apparatus. For instance, it has a relationship with the company Haiyun Data on public security intelligence. Haiyun provides data visualization services for MPS bureaus across China.

The tag is: misp-galaxy:china-defence-universities="Criminal Investigation Police University of China (中国刑事警察学院)"

Table 760. Table References

Links

https://unitracker.aspi.org.au/universities/criminal-investigation-police-university-of-china

Dalian Minzu University (大连民族大学)

DLMU was established in 1984 as an institution that researches China’s ethnic minorities. The university is overseen by the State Ethnic Affairs Commission (SEAC), the Liaoning Provincial Government and the Dalian Municipal Government.Scientific disciplines taught by DLMU include communications and information engineering, machine engineering, civil engineering and environmental science. DLMU also researches political thought and minority groups of northeast China.DLMU currently hosts the Dalian Key Lab of Digital Technology for National Culture (大连市民族文化数字技术重点实验室). Researchers at laboratory carry out research on facial recognition of ethnic minorities. The laboratory has collaborated with an academic from Curtin University on research related to the facial recognition of Tibetans, Koreans and Uyghurs—over one million of whom have disappeared into re-education camps. DLMU researchers are working on a database of facial and optical movements across different ethnic groups.DLMU also hosts the State Ethnic Affairs Commission Key Laboratory of Intelligent Perception and Advanced Control (国家民委智能感知与先进控制重点实验室), housed within the university’s College of Electromechanical Engineering (机电工程学院). The laboratory has done work on convolutional neural networks for visual image recognition, which could have applications for surveillance technology.DLMU’s party committee has an active United Front Work Department. The department supervises non-CCP members and students returning from overseas study. Management of religious and ethnic minorities are likely to be other priorities for the department.

The tag is: misp-galaxy:china-defence-universities="Dalian Minzu University (大连民族大学)"

Table 761. Table References

Links

https://unitracker.aspi.org.au/universities/dalian-minzu-university

Dalian Naval Academy (中国人民解放军海军大连舰艇学院)

The Dalian Naval Academy is one of the main training colleges for junior officers and cadets in the PLA Navy. The academy focuses on maritime navigation technology, communications engineering, electronic information engineering, weapons systems engineering, surveying and control science.Scientists from the Dalian Naval Academy produce publications on a variety of defence topics, including:

The tag is: misp-galaxy:china-defence-universities="Dalian Naval Academy (中国人民解放军海军大连舰艇学院)"

Table 762. Table References

Links

https://unitracker.aspi.org.au/universities/dalian-naval-academy

Dalian University of Technology (大连理工大学)

DLUT is directly under the administration of the Ministry of Education. In 2018, it came under the supervision of defence industry agency SASTIND as part of the government’s efforts to deepen military-civil fusion in the university sector. In 2006, the university received secret-level security credentials, allowing it to participate in classified defence technology projects. Since then, it has expanded cooperation with the PLA Navy and joined several military-civil fusion innovation alliances.In 2015, the university established a defence laboratory in the School of Mechanical Engineering. The laboratory was proposed by a professor within the University’s Institute of Science and Technology. The Institute of Science and Technology is primarily responsible for high-tech project management, where they manage projects for the 973 Program, the National Natural Science Foundation, and the Ministry of Education.

The tag is: misp-galaxy:china-defence-universities="Dalian University of Technology (大连理工大学)"

Table 763. Table References

Links

https://unitracker.aspi.org.au/universities/dalian-university-of-technology

Donghua University (东华大学)

DHU is subordinate to the Ministry of Education. It is actively involved in defence research on materials. It hosts the Key Laboratory of High Performance Fibers & Products, a defence-focused laboratory involved in materials science and textiles engineering research for China’s defence industry and weapons systems. The laboratory is specifically involved in developing materials for weapons casings, vehicular armour, aviation and cabling. The university holds secret-level security credentials, allowing it to participate in classified defence research projects.DHU claims that much of its research has been applied to fields such as defence technology and aviation, and contributed towards China’s space program and Beidou satellite navigation system. In 2018, the university signed a strategic cooperation agreement with the state-owned Jihua Group (际华集团) for collaboration on textiles to meet the military’s needs.

The tag is: misp-galaxy:china-defence-universities="Donghua University (东华大学)"

Table 764. Table References

Links

https://unitracker.aspi.org.au/universities/donghua-university

East China University of Technology (东华理工大学)

ECUT was founded in 1956 as the first institution of higher education for China’s nuclear industry. Since 2001, it has been subject to four ‘joint construction’ agreements between the Jiangxi Provincial Government and defence industry agency SASTIND or its predecessor COSTIND. These agreements are designed to develop the university’s involvement in defense-related research and training. The Ministry of Natural Resources and defence conglomerate China National Nuclear Corporation are also involved in supervising and supporting ECUT.ECUT carries out defence research related to nuclear science and hosts a defence laboratory on radioactive geology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects. In 2006, the East China University of Technology National Defence Technology Institute (东华理工大学国防科技学院) was established.

The tag is: misp-galaxy:china-defence-universities="East China University of Technology (东华理工大学)"

Table 765. Table References

Links

https://unitracker.aspi.org.au/universities/east-china-university-of-technology

Engineering University of the CAPF (中国人民武装警察部队工程大学)

The Engineering University of the CAPF is an institution devoted to training personnel in China’s paramilitary service, the People’s Armed Police, in command and engineering disciplines. The university focuses on paramilitary information engineering, paramilitary equipment technology, non-lethal weapons, military communications and mathematical cryptography. Students of the university can select majors from disciplines such as communications engineering, information security, military big data engineering, management science and engineering, and mechanical engineering.The Engineering University of the CAPF hosts the Key Military Laboratory for Non-Lethal Weapons (非致命武器等全军重点实验室), the Big Data and Cloud Computing Laboratory (大数据与云计算实验室), and the Command Automation Training Centre (指挥自动化培训中心), indicating expertise in these areas.The Engineering University of the CAPF has collaborated significantly with a Beijing-based company called SimpleEdu (北京西普阳光教育科技股份有限公司), focusing primarily on social media and internet research. Below is a list of initiatives with which the Engineering University of the CAPF has collaborated:

The tag is: misp-galaxy:china-defence-universities="Engineering University of the CAPF (中国人民武装警察部队工程大学)"

Table 766. Table References

Links

https://unitracker.aspi.org.au/universities/engineering-university-of-the-capf

Fudan University (复旦大学)

Fudan University is among China’s best universities. It was ranked 104th in the world by Times Higher Education in 2019. The university appears to engage high levels of work for the military on materials science, including stealth technology.All defence-related projects and matters in Fudan are managed by the university’s Institute of Special Materials and Technology (专用材料与装备技术研究院) and Defence Industry Secrets Committee (复旦大学军工保密委员会). The Institute of Special Materials and Technology specialises in defence research and works on simulations, precision manufacturing, and materials. Professor Ye Mingxin, the institute’s director, is also an advisor to the PLA and defence companies on materials science. Fudan University’s Materials Science Department includes one professor who is described as specifically being a ‘defence system professor’, which may refer to Professor Ye. In 2011, Fudan established a State Secrets Academy (国家保密学院),  in partnership with China’s National Administration of State Secrets Protection (国家保密局). The institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Fudan University (复旦大学)"

Table 767. Table References

Links

https://unitracker.aspi.org.au/universities/fudan-university

Fuzhou University (福州大学)

Fuzhou University is overseen by the Fujian Provincial Government and a focus on engineering disciplines. It does not appear to engage in significant levels of defence research. However, the Fuzhou University Military-Civil Fusion Innovation Research Institute (福州大学军民融合创新研究院) was jointly established in 2016 by Fuzhou University along with a number defence companies and military research institutions under the guidance of Fujian Provincial Government’s National Defence Industry Office (省国防科工办). Furthermore, the Fujian Provincial People’s Government and SASTIND entered an agreement to jointly develop the university as part of China’s military-civil fusion initiative in 2018. This indicates that the university will expand its involvement in defence research. The university has held second-class weapons R&D secrecy credentials since 2006.

The tag is: misp-galaxy:china-defence-universities="Fuzhou University (福州大学)"

Table 768. Table References

Links

https://unitracker.aspi.org.au/universities/fuzhou-university

Guilin University of Electronic Science and Technology (桂林电子科技大学)

GUET specialises in electronics, communications and computer science. It engages in growing levels of defence research, indicated by the decision to place it under the joint administration of the defence industry agency SASTIND and the Guangxi Provincial Government in 2018.The PLA describes GUET as ‘Guangxi Province’s only university to have long carried out defence research.’ Areas of defence research at the university include communications technology, materials science, signals processing, microwaves, satellite navigation, and command and control. Since 2007, the university has held secret-level security credentials, enabling it to participate in classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Guilin University of Electronic Science and Technology (桂林电子科技大学)"

Table 769. Table References

Links

https://unitracker.aspi.org.au/universities/guilin-university-of-electronic-science-and-technology

Hangzhou Dianzi University (杭州电子科技大学)

HDU specialises in information technology and has been jointly supervised by the Zhejiang Provincial Government and defence industry agency SASTIND since 2007. The university is Zhejiang Province’s only provincial-level higher education institution to have officially designated national defence disciplines.HDU’s leadership is closely integrated with its defence research. Since its creation in 2008, the university’s main defence laboratory has been run by Xue Anke, who was the university’s president until 2017. While president, Xue served on an expert advisory committee to the PLA on information technology. He is also a member of the Zhejiang Provincial Expert Committee on Artificial Intelligence Development.Key areas of defence research at HDU include electronics, artificial intelligence, military-use software, and communications and information systems. HDU has been expanding its research on artificial intelligence, establishing a school of artificial intelligence and an artificial intelligence research institute in 2018.HDU holds secret-level security credentials, allowing it to undertake classified weapons and defence technology projects. In 2011, the Zhejiang State Secrets Bureau established a State Secrets Academy in HDU. The academy, one of twelve in the country, trains personnel in managing and protecting confidential information.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Dianzi University (杭州电子科技大学)"

Table 770. Table References

Links

https://unitracker.aspi.org.au/universities/hangzhou-dianzi-university

Hangzhou Normal University (杭州师范大学)

Hangzhou Normal University is a Chinese university subordinate to the Zhejiang Provincial Government. The university was initially established in 1978 as Hangzhou Normal College (杭州师范学院) to focus on teacher training, art education as well as research in the humanities and natural sciences. Hangzhou Normal University retains this broad academic focus and oversees faculties such as the Alibaba Business School (阿里巴巴商学院).Hangzhou Normal University collaborates with China’s MPS on the development of surveillance technology. In March 2019, the university entered into an agreement with the Zhejiang Police College, the Zhejiang Public Security Office, and Hikvision—China’s leading producer of video surveillance technology—to establish a joint laboratory. The joint laboratory reportedly focuses on applying big data analysis, cloud computing and internet of things technology to improve China’s policing capability.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Normal University (杭州师范大学)"

Table 771. Table References

Links

https://unitracker.aspi.org.au/universities/hangzhou-normal-university

Harbin Engineering University (哈尔滨工程大学)

HEU is one of China’s top defence research universities. The university is a leading centre of research and training on shipbuilding, naval armaments, maritime technology and nuclear power. 36.46% of the university’s 2017 graduates who found employment were working in the defence sector.As one of the group of universities subordinate to the Ministry of Industry and Information Technology (MIIT) known as the ‘Seven Sons of National Defence’ (国防七子), HEU is an integral part of China’s defence industry. HEU’s achievements include producing China’s first experimental submarine, ship-based computer, and hovercraft. The university claims to have participated in most of the PLA Navy’s submarine, undersea weapon, and warship projects.HIT’s role in the defence industry is highlighted by its formal affiliation with the PLA Navy, which became a supervising agency of the university in 2007. Under the supervisory agreement, the PLA Navy committed to developing HEU’s capacity as a platform for research and development in military technology and for training defence personnel. The following year, HEU established a Defence Education Institute to train reserve officers. Since then, the institute has trained at least 1,700 officers. HEU also maintains a joint laboratory with the PLA Navy Coatings Analysis and Detection Center.HEU is an important hub research on nuclear engineering, including on nuclear submarines. In 2018, it signed a co-construction agreement with defence conglomerate China National Nuclear Corporation (CNNC). In 2019, HEU and CNNC established the China Nuclear Industry Safety and Simulation Technology Research Institute. HEU also runs a joint laboratory on energetic materials (such as explosives) with the Chinese Academy of Engineering Physics, China’s nuclear warhead research organisation.

The tag is: misp-galaxy:china-defence-universities="Harbin Engineering University (哈尔滨工程大学)"

Table 772. Table References

Links

https://unitracker.aspi.org.au/universities/harbin-engineering-university

Harbin Institute of Technology (哈尔滨工业大学)

HIT is one of China’s top defence research universities. As one of seven universities run by MIIT, it is known as one of the ‘Seven Sons of National Defence’ (国防七子). The Seven Sons of National Defence all have close relationships with the Chinese military and are core training and research facilities for China’s defence industry. In 2018, HIT spent RMB1.97 billion (AUD400 million)—more than half of its research budget—on defence research. 29.96% of the university’s graduates that year who found employment were working in the defence sector.HIT has been described by Chinese state media as having ‘defence technology innovation and weapons and armaments modernisation as its core’. It excels in satellite technology, robotics, advanced materials and manufacturing technology, and information technology. Other areas of defence research at HIT include nuclear technology, nuclear combustion, nuclear power engineering and electronic propulsion and thruster technology, many of which are officially designated as skill shortage areas for the Chinese defence industry.HIT is best known for its aerospace research and has a close relationship with China Aerospace Science and Technology Corporation (CASC), a state-owned defence company that specialises in long-range ballistic missile and satellite technology. Since 2008, HIT and CASC have operated a joint research centre. Defence conglomerates CASC, CASIC, AVIC and CETC rank among the top employers of HIT graduates. The university is a major source of cyber talent and receives funding for information security research from the MSS, China’s civilian intelligence agency. A report prepared for the US–China Security and Economic Review Commission identified it as one of four universities focused on research with applications in info